CVE-2026-55462 in snipe-itinfo

Summary

by MITRE • 07/10/2026

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UsersController::show() and printInventory() authorize only user viewing before loading and rendering assigned license, accessory, and consumable relationships, allowing an authenticated user with only users.view to see inventory and cost/order metadata from modules that direct permissions would otherwise deny. This issue is fixed in version 8.6.2.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability exists within the Snipe-IT IT asset management system where unauthorized information disclosure occurs due to insufficient access control validation during inventory rendering processes. The flaw specifically affects the UsersController::show() method and printInventory() function which fail to properly enforce permission checks before displaying related license, accessory, and consumable data. An authenticated user possessing only the minimal users.view permission can exploit this weakness to access sensitive inventory metadata and cost information that should be restricted to users with higher privilege levels.

The technical implementation flaw stems from improper authorization validation within the application's permission model. When processing requests for user inventory displays, the system retrieves and renders associated license, accessory, and consumable relationships without verifying whether the requesting user has adequate permissions to view these specific data modules. This represents a classic case of insufficient authorization checks that allows privilege escalation through information disclosure rather than direct functional manipulation.

The operational impact of this vulnerability creates significant security risks for organizations relying on Snipe-IT for asset management. An attacker with minimal user privileges can gain access to detailed inventory metadata including purchase costs, order information, and associated licensing data that may contain sensitive business information or intellectual property details. This unauthorized access could enable attackers to gather intelligence about organizational asset acquisition patterns, budget allocations, and technology infrastructure planning decisions.

This vulnerability maps to CWE-285: Improper Authorization within the Common Weakness Enumeration catalog, specifically addressing insufficient authorization checks during data retrieval operations. The issue also aligns with ATT&CK technique T1068: Exploitation for Privilege Escalation, as it allows attackers to leverage existing authenticated sessions to access restricted information. Additionally, it demonstrates characteristics of credential abuse patterns where minimal permissions are exploited to gain broader information access than intended by the system's permission model.

Organizations should immediately upgrade to Snipe-IT version 8.6.2 which contains the necessary patches to address this authorization flaw. Administrators should conduct immediate review of existing user permissions and implement principle of least privilege enforcement across all asset management modules. Network monitoring should be enhanced to detect unusual data access patterns from users with minimal privileges, particularly when accessing inventory metadata from related modules that should normally require elevated permissions. Regular security audits of permission configurations and access logs should be performed to identify potential abuse of similar authorization gaps in other system components.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!