CVE-2026-55516 in Snipe-IT
Summary
by MITRE • 07/10/2026
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, PATCH or PUT /api/v1/maintenances/{maintenance_id} checks access to the current maintenance record and asset but then fills attacker-controlled fields including asset_id without re-authorizing the newly supplied asset, allowing an authorized user to move a maintenance record onto an asset outside their company scope. This issue is fixed in version 8.6.2.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
This vulnerability exists within the Snipe-IT IT asset management system where unauthorized privilege escalation can occur through manipulated API requests. The flaw manifests in the PATCH and PUT operations targeting the /api/v1/maintenances/{maintenance_id} endpoint, which demonstrates a critical access control weakness that undermines the system's security model.
The technical implementation of this vulnerability stems from insufficient authorization checks during maintenance record updates. When an authorized user submits a PATCH or PUT request to modify a maintenance record, the system initially validates access to the existing maintenance record and its associated asset. However, the validation process fails to re-verify authorization when new asset_id values are provided in the request payload. This creates a scenario where legitimate users can manipulate the asset association of maintenance records without proper re-authentication against the new asset's access controls.
The operational impact of this vulnerability is significant as it enables users within the system to bypass company scope limitations and move maintenance records between assets they should not have access to. Attackers could leverage this to consolidate maintenance data across different organizational units, potentially exposing sensitive information or disrupting asset management workflows. The vulnerability essentially allows privilege escalation through lateral movement within the asset management hierarchy.
This issue maps to CWE-285: "Improper Authorization" and aligns with ATT&CK technique T1078.004: "Valid Accounts: Cloud Accounts" where legitimate credentials are used to access unauthorized resources. The vulnerability demonstrates a classic authorization bypass pattern where initial validation is insufficient to prevent subsequent resource manipulation.
The fix implemented in version 8.6.2 addresses this by ensuring that when asset_id values are modified in maintenance records, the system performs fresh authorization checks against the new asset before allowing the update to proceed. This comprehensive approach requires re-validation of access permissions for all assets involved in any modification operation, preventing unauthorized resource movement while maintaining legitimate administrative functionality.
Organizations should immediately upgrade to version 8.6.2 or later to remediate this vulnerability and conduct thorough access control reviews to ensure no unauthorized asset movements have occurred during the vulnerable period. Security teams should also implement monitoring for unusual maintenance record modifications and asset reassignments within their Snipe-IT deployments.