CVE-2026-55479
Received Received - Intake

Legacy License Checkin Permission Bypass in Snipe-IT

Vulnerability report for CVE-2026-55479, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the legacy single-seat license checkin flow authorizes the action with the checkout permission instead of the checkin permission, allowing a user who can assign licenses but not unassign them to directly access the old checkin endpoint and reclaim a license seat assigned to another user or asset. This issue is fixed in version 8.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
snipeit snipeit 8.6.2
grokability snipe-it to 8.6.2 (exc)
grokability snipe-it From 8.6.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized users to reclaim license seats assigned to other users or assets by exploiting incorrect permission checks in the license checkin process.

This unauthorized access to license assignments could potentially lead to improper handling of asset or user data, which may impact compliance with standards and regulations that require strict access controls and data integrity, such as GDPR and HIPAA.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Executive Summary

CVE-2026-55479 is a vulnerability in Snipe-IT, an IT asset/license management system, affecting versions prior to 8.6.2. The issue arises because the legacy single-seat license checkin flow incorrectly authorizes the checkin action using the checkout permission instead of the checkin permission.

This means that a user who has permission to assign licenses (checkout permission) but not to unassign them (checkin permission) can exploit this flaw to directly access the old checkin endpoint and reclaim a license seat assigned to another user or asset.

The vulnerability was fixed in version 8.6.2 by changing the authorization checks in the code to require the correct checkin permission.

Impact Analysis

This vulnerability can allow unauthorized users who have license assignment permissions but not license unassignment permissions to reclaim license seats assigned to other users or assets.

As a result, it can lead to improper license management, potential license seat theft, and disruption of asset allocation within an organization.

This could cause operational issues, inaccurate license tracking, and possibly financial or compliance risks if licenses are misused or misallocated.

Detection Guidance

This vulnerability involves an incorrect permission check in the legacy license checkin API of Snipe-IT versions 8.6.1 and earlier. Detection would involve monitoring or auditing attempts to access the license checkin endpoint without proper checkin permissions.

Specifically, you can look for API calls or web requests to the legacy license checkin endpoint that are authorized using the 'checkout' permission instead of the 'checkin' permission.

Since the vulnerability is related to permission misuse, commands or scripts that audit user permissions and their API usage logs could help detect exploitation attempts.

However, no specific detection commands or tools are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade Snipe-IT to version 8.6.2 or later, where the vulnerability has been fixed by correcting the permission check from 'checkout' to 'checkin' in the license checkin flow.

Until the upgrade can be performed, restrict access to the legacy license checkin endpoint to only trusted users who have appropriate permissions.

Review and audit user permissions to ensure that users who can assign licenses do not have unauthorized access to reclaim licenses via the checkin endpoint.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55479. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart