CVE-2026-55475 in snipe-itinfo

Summary

by MITRE • 07/10/2026

Snipe-IT is an IT asset/license management system. Prior to 8.6.1, the Importer API endpoint allows a user with CSV import capabilities and a valid API key to overwrite the created_by value of an import file, allowing unauthorized modification of import ownership metadata. This issue is fixed in version 8.6.1.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The Snipe-IT IT asset management system contains a critical access control vulnerability in its Importer API endpoint that affects versions prior to 8.6.1. This flaw represents a direct violation of the principle of least privilege and authorization controls, allowing authenticated users with CSV import permissions to manipulate metadata associated with their import operations. The vulnerability specifically targets the created_by field within import file metadata, enabling attackers to assert false ownership of imported data through manipulation of API parameters.

The technical implementation of this vulnerability stems from inadequate input validation and insufficient authorization checks within the API endpoint handling import operations. When users submit CSV files for import, the system accepts and processes a created_by parameter that should normally be automatically populated based on the authenticated user context. However, the absence of proper validation mechanisms allows malicious actors to submit crafted requests with arbitrary created_by values, effectively rewriting ownership metadata in imported records. This represents a classic case of improper access control as classified under CWE-285 and falls within the ATT&CK framework's privilege escalation categories.

The operational impact of this vulnerability extends beyond simple metadata manipulation, creating potential security risks for organizations relying on audit trails and data provenance tracking. Attackers could exploit this weakness to mask their activities by attributing imported data to other users, potentially enabling them to bypass access controls, manipulate audit logs, or interfere with accountability measures within the asset management system. The vulnerability affects any organization using Snipe-IT versions before 8.6.1 where users possess CSV import capabilities, creating a significant risk for environments that depend on accurate ownership tracking of imported assets and license information.

Organizations should immediately implement mitigations including updating to Snipe-IT version 8.6.1 or later, which resolves this vulnerability through proper parameter validation and authorization enforcement. Additional defensive measures include implementing stricter API rate limiting, conducting regular access control reviews, and monitoring for suspicious metadata changes in import operations. Network segmentation and privileged access management controls should be reinforced to limit exposure of the Importer API endpoint to only authorized personnel. The fix implemented in version 8.6.1 demonstrates proper input sanitization and authorization validation that prevents unauthorized modification of ownership metadata while maintaining legitimate import functionality for authorized users.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!