CVE-2026-55461 in Snipe-IT
Summary
by MITRE • 07/10/2026
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the user edit flow stores url()->previous() from the attacker-controlled Referer header into Laravel’s intended URL session value and later uses redirect()->intended(...) when redirect_option=back is submitted, allowing Snipe-IT to be used as a trusted redirector after a legitimate user edit action. This issue is fixed in version 8.6.2.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
This vulnerability represents a classic server-side request forgery (ssrf) and open redirect flaw that exploits the trust relationship between the application's authentication flow and its redirection mechanisms. The issue exists within Snipe-IT's user edit functionality where the system naively accepts the Referer header value and stores it in Laravel's intended URL session variable without proper validation or sanitization. When users navigate back to the previous page after completing an edit operation, the application uses redirect()->intended() method which relies on this stored value, creating an opportunity for attackers to manipulate the redirection target through malicious Referer headers.
The technical exploitation occurs because Laravel's redirect()->intended() function is designed to redirect users back to their intended destination after authentication flows, but in this case it becomes vulnerable due to improper input handling. When an attacker crafts a malicious Referer header containing a crafted URL such as http://evil.com/redirect, the system stores this value and later uses it as the target for redirection after legitimate user actions. This creates a trust relationship where the application essentially validates the attacker's intended destination by virtue of its own redirection logic.
The operational impact of this vulnerability is significant as it allows attackers to potentially redirect authenticated users to malicious domains, enabling phishing attacks or credential harvesting scenarios. The flaw specifically affects the user edit flow within Snipe-IT's asset management system, making it particularly dangerous for organizations that rely on the application for managing sensitive IT assets and licenses. Attackers could leverage this vulnerability to redirect users to fake login pages or other malicious sites while maintaining the appearance of legitimate navigation within the application interface.
This vulnerability aligns with CWE-601 Open Redirect vulnerability classification under the Common Weakness Enumeration framework, specifically targeting the weakness category related to improper input validation in redirection flows. The issue also maps to ATT&CK technique T1566.002 Phishing via Service Provider and T1566.003 Phishing via Service Provider using Social Media which involves leveraging trusted applications to redirect users to malicious destinations. Organizations implementing Snipe-IT should immediately upgrade to version 8.6.2 or apply the necessary patches that validate and sanitize the Referer header values before storing them in session variables. The mitigation strategy requires implementing strict validation of redirection targets, ensuring that only URLs within the application's trusted domain are accepted, and potentially implementing a whitelist approach for redirect destinations to prevent unauthorized redirections.
The root cause stems from insufficient input validation and the improper handling of user-supplied data within Laravel's session management system. This vulnerability demonstrates how seemingly innocuous features like "go back" functionality can become security risks when not properly validated against malicious inputs. The fix implemented in version 8.6.2 addresses this by ensuring that the Referer header values are properly sanitized and validated before being stored in the session for later redirection use, preventing attackers from leveraging the application's own trust mechanisms against it.
This type of vulnerability represents a common pattern in web applications where legacy features or convenience functions become security liabilities due to inadequate input validation practices. The flaw highlights the importance of principle of least privilege in redirect operations and demonstrates why all user-controllable inputs should be validated against a strict allowlist before being used in critical application flows. Organizations using Snipe-IT or similar asset management systems should conduct thorough security audits of their applications to identify similar trust relationship vulnerabilities that could be exploited through various input vectors including Referer headers, URL parameters, and other user-supplied redirection contexts.