CVE-2026-55469 in snipe-it
Summary
by MITRE • 07/10/2026
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the server process. This issue is fixed in version 8.6.2.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/10/2026
This vulnerability exists within the Snipe-IT IT asset management system where an authenticated user with specific permissions can exploit a path traversal flaw during CSV import operations. The vulnerability stems from inadequate input validation and sanitization of file paths when processing image uploads through the import functionality. When users with import and assets.update permissions submit malicious CSV data containing path traversal sequences in the asset image field, the system fails to properly validate these inputs before performing file operations.
The technical flaw manifests as a lack of proper path normalization and validation mechanisms within the file handling code. When the system processes the imported CSV data, it accepts user-supplied paths without sufficient sanitization, allowing attackers to manipulate directory traversal sequences such as ../ or ..\ that can navigate outside the intended upload directories. This weakness is particularly dangerous because it occurs during the import process where the system expects legitimate image paths but instead receives maliciously crafted file references.
The operational impact of this vulnerability extends beyond simple file deletion capabilities to potentially allow full system compromise through arbitrary file removal. An attacker with access to the import functionality can target critical system files, configuration files, log files, or even other users' data stored within the server's file system. The vulnerability allows for exploitation of the server process privileges, meaning that if the web application runs under elevated permissions, the attacker could potentially delete system-critical files or gain further access to the underlying infrastructure.
This vulnerability directly maps to CWE-22 Path Traversal and CWE-73 Improper Neutralization of Special Elements in Output Used by a Downstream Component, both of which are categorized under the OWASP Top Ten as critical application security risks. The attack vector aligns with ATT&CK technique T1059 Command and Scripting Interpreter where adversaries may abuse legitimate system utilities to execute commands or manipulate files within the compromised system. The vulnerability also represents a privilege escalation path through the existing import functionality, demonstrating how seemingly benign administrative features can become attack vectors when proper input validation is missing.
The mitigation strategy involves implementing comprehensive input validation and sanitization of all file paths during CSV imports, including strict normalization of paths to prevent traversal sequences from being processed. System administrators should ensure that Snipe-IT instances are updated to version 8.6.2 or later where this vulnerability has been patched. Additionally, proper access controls should be enforced to limit import permissions only to trusted users, and the principle of least privilege should be applied to restrict file system access for the web application process. Regular security audits of file handling code sections and implementation of automated input validation checks can help prevent similar issues from emerging in future versions.