CVE-2026-55460 in Snipe-ITinfo

Summary

by MITRE • 07/10/2026

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to /users/bulksave with delete_user=1 because BulkUsersController::destroy() authorizes only update, allowing the user to soft-delete another non-admin user. This issue is fixed in version 8.6.2.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability exists within the Snipe-IT IT asset management system where an authenticated user can exploit a privilege escalation flaw through improper authorization controls. The vulnerability specifically affects versions prior to 8.6.2 and stems from a misconfiguration in the BulkUsersController::destroy() method that fails to properly validate user permissions before executing deletion operations. An attacker with users.view and users.edit permissions but lacking users.delete rights can bypass these restrictions by directly posting to the /users/bulksave endpoint with delete_user=1 parameter, thereby enabling soft-deletion of other non-administrator accounts.

The technical flaw manifests as an authorization bypass in the controller logic where the destroy method only authorizes update operations while neglecting to verify whether the requesting user possesses sufficient privileges to perform deletion actions. This creates a path where users with read and write permissions can manipulate the system's delete functionality through indirect means, specifically by leveraging bulk operations that should not be accessible to users without explicit delete permissions. The vulnerability is classified as a privilege escalation issue under CWE-284 Access Control Bypass and represents a failure in proper authorization enforcement.

The operational impact of this vulnerability allows malicious actors to compromise user accounts within the system through unauthorized soft-deletion of other non-administrator users, potentially leading to data integrity issues and disruption of normal operations. This attack vector could be particularly dangerous in environments where multiple users have varying levels of access permissions, as it enables a limited-privilege user to effectively remove other users from the system without proper authorization. The soft-delete functionality, while not permanently erasing data, still removes user accounts from active consideration in the system and can disrupt access controls and audit trails.

Mitigation strategies include upgrading to Snipe-IT version 8.6.2 or later where this authorization bypass has been addressed through proper permission validation in the BulkUsersController::destroy() method. Organizations should also implement regular security audits of their authentication and authorization mechanisms, ensuring that bulk operations properly validate user privileges before executing destructive actions. The fix aligns with ATT&CK technique T1078 Valid Accounts by preventing unauthorized users from leveraging legitimate system functionality to escalate their privileges through indirect means, while also addressing the broader category of privilege escalation through inadequate access control enforcement as outlined in ATT&CK technique T1484.1 Privilege Escalation through Unauthorized Access Control.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!