CVE-2026-55515
Received Received - Intake

Snipe-IT Unauthorized Pending Asset Report Deletion

Vulnerability report for CVE-2026-55515, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending()->find($acceptanceId) by global ID without checking access to the related checkoutable asset, allowing a reports user in one company to delete pending checkout acceptance records for another company. This issue is fixed in version 8.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
snipe-it snipe-it 8.6.2
grokability snipe-it 8.6.2
grokability snipe-it to 8.6.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55515 is a security vulnerability in the Snipe-IT asset management system that allows a user with the 'reports.view' permission to delete pending checkout acceptance records belonging to other companies.

The issue arises because the delete endpoint for unaccepted-assets reports only checks if the user has report viewing permissions and deletes records by global ID without verifying if the user has access to the related asset or company.

This means a user from one company can delete pending checkout acceptance records of assets belonging to another company, bypassing intended multi-company access controls.

The vulnerability was fixed in version 8.6.2 by adding authorization checks that ensure users can only delete pending acceptances if they belong to the same company or are superusers.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to delete pending checkout acceptance records for assets in your company.

Such unauthorized deletions can tamper with data integrity, potentially suppressing evidence of unaccepted custody or interfering with asset management workflows.

If exploited, it could disrupt your company's asset tracking and compliance processes by removing important pending acceptance records.

Compliance Impact

This vulnerability can negatively affect compliance with standards and regulations such as GDPR and HIPAA by allowing unauthorized deletion of asset acceptance records.

Such unauthorized deletions may suppress evidence required for audits, interfere with proper asset custody tracking, and undermine data integrity controls.

This could lead to non-compliance with regulatory requirements that mandate accurate record-keeping and access controls.

Detection Guidance

This vulnerability involves unauthorized deletion of pending checkout acceptance records via the unaccepted-assets report delete endpoint when a user has the reports.view permission but lacks proper access to the related asset.

To detect exploitation attempts, monitor logs for DELETE requests to the unaccepted-assets report delete endpoint that are initiated by users with only reports.view permission.

Commands to help detect suspicious activity might include:

  • Checking web server or application logs for DELETE requests to the endpoint related to pending checkout acceptances.
  • Using grep or similar tools to filter logs for users with reports.view permission performing delete actions, e.g., `grep 'DELETE /api/reports/unaccepted-assets' /var/log/snipeit/access.log`.
  • Auditing application logs or database logs for deletion of pending acceptance records that do not correspond to the user's company.
Mitigation Strategies

The primary mitigation is to upgrade Snipe-IT to version 8.6.2 or later, where the vulnerability is fixed by adding proper authorization checks to prevent cross-company deletion of pending checkout acceptances.

If immediate upgrade is not possible, restrict the reports.view permission to trusted users only, as this permission alone allows deletion of pending acceptance records across companies.

Additionally, monitor and audit deletion activities on pending checkout acceptance records to detect and respond to unauthorized deletions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55515. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart