CVE-2026-55516
Undergoing Analysis Undergoing Analysis - In Progress

Snipe-IT Maintenance Record Asset Scope Escalation

Vulnerability report for CVE-2026-55516, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, PATCH or PUT /api/v1/maintenances/{maintenance_id} checks access to the current maintenance record and asset but then fills attacker-controlled fields including asset_id without re-authorizing the newly supplied asset, allowing an authorized user to move a maintenance record onto an asset outside their company scope. This issue is fixed in version 8.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
snipeitapp snipe-it to 8.6.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The primary mitigation step is to upgrade Snipe-IT to version 8.6.2 or later, where this vulnerability is fixed.

If immediate upgrade is not possible, restrict or monitor access to the PATCH and PUT /api/v1/maintenances/{maintenance_id} API endpoints, especially for users with permissions to update maintenance records.

Implement additional access controls or logging to detect and prevent unauthorized cross-company asset maintenance re-parenting.

Review and audit user permissions to ensure that only authorized users can update maintenance records.

Executive Summary

CVE-2026-55516 is a vulnerability in the Snipe-IT asset management system that affects versions 8.6.1 and earlier. It allows an authenticated user with permission to update maintenance records to manipulate the asset_id field in the PATCH or PUT /api/v1/maintenances/{maintenance_id} API endpoint. This manipulation enables the user to reassign a maintenance record to an asset belonging to another company, bypassing company scope restrictions.

The root cause is that while the system verifies access to the original asset, it fails to re-validate the new asset_id against the user's company permissions before saving changes. This breaks tenant isolation in multi-company deployments with Full Multiple Company Support enabled.

Impact Analysis

This vulnerability can have significant impacts including unauthorized cross-company asset maintenance re-parenting, which means a user can move maintenance records to assets outside their authorized company scope.

  • Potential cross-company asset history pollution.
  • Unauthorized modification of maintenance timelines.
  • Incorrect lifecycle records for assets.

These impacts compromise data integrity and tenant isolation, potentially leading to confusion, mismanagement of assets, and trust issues in multi-tenant environments.

Detection Guidance

This vulnerability involves unauthorized manipulation of the asset_id field via the PATCH or PUT /api/v1/maintenances/{maintenance_id} API endpoint in Snipe-IT versions prior to 8.6.2.

To detect exploitation attempts on your system or network, monitor API requests to the /api/v1/maintenances/{maintenance_id} endpoint for PATCH or PUT methods where the asset_id field is changed.

Look for authenticated users updating maintenance records with asset_id values that do not belong to their company scope.

Suggested commands include using web server or application logs to filter such requests, for example using grep or similar tools:

  • grep -i 'PATCH /api/v1/maintenances/' /var/log/snipeit/access.log | grep 'asset_id'
  • grep -i 'PUT /api/v1/maintenances/' /var/log/snipeit/access.log | grep 'asset_id'

Additionally, review audit logs or database change logs for maintenance records where the asset_id was changed to an asset outside the user's company.

Compliance Impact

This vulnerability allows an authenticated user to reassign maintenance records to assets outside their company scope, breaking tenant isolation and enabling unauthorized cross-company data modification.

Such unauthorized access and modification of asset maintenance records can lead to data integrity issues and potential exposure of sensitive information across company boundaries.

This breach of access controls and data segregation could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict data access controls, data integrity, and protection of sensitive information within defined organizational boundaries.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart