
Cloud Vulnerability DB
コミュニティ主導の脆弱性データベース
CVE-2026-55474 is a relative path traversal vulnerability in Snipe-IT, an open-source IT asset and license management system. The flaw exists in ActionlogController::displaySig, where the route filename parameter is concatenated directly into a private upload-directory path without sanitization, enabling an authenticated attacker to read arbitrary files accessible to the web server process. All versions prior to 8.5.0 are affected. The vulnerability was disclosed on July 10, 2026, and carries a CVSS v3.1 base score of 6.5 (Medium) and a CVSS v4.0 base score of 7.1 (High) (GitHub Advisory, Feedly).
The root cause is CWE-23 (Relative Path Traversal): the displaySig method in ActionlogController accepts a user-controlled filename route parameter and concatenates it directly into a filesystem path pointing to a private upload directory, with no input sanitization or path canonicalization applied. An attacker can supply path traversal sequences (e.g., ../../etc/passwd) in the filename parameter to escape the intended directory and access arbitrary files readable by the web server process. Exploitation requires only a valid authenticated session with low privileges — no special roles or permissions are needed. The fix, merged in PR #18927, applies PHP's basename() function to strip directory components from the filename before use, and adds similar protections across several other file-serving controllers (getStoredEula, StorageProxyController, backup download/delete/restore endpoints) (GitHub Advisory, GitHub PR, GitHub Commit).
Successful exploitation allows an authenticated attacker with low privileges to read arbitrary files accessible to the web server process, resulting in high confidentiality impact with no integrity or availability impact. Sensitive files at risk include application configuration files (e.g., .env containing database credentials, API keys, and secrets), system files, and other data within the web server's read permissions. This could facilitate further attacks such as credential theft, lateral movement, or full application compromise if secrets are exposed (GitHub Advisory, Feedly).
displaySig route, typically accessible at a URL such as /account/sig/{filename} or the equivalent route mapped to ActionlogController::displaySig.../../../../../../etc/passwd or ../../.env, to escape the intended upload directory.GET /account/sig/../../.env..env file containing database credentials, APP_KEY, and other secrets) as the response body, which the attacker can then use for further exploitation (GitHub Advisory, GitHub Commit).displaySig or getStoredEula endpoints containing URL-encoded path traversal sequences (e.g., %2F..%2F, ..%2F, ../) in the filename parameter; unusual responses returning non-image file content (e.g., plaintext configuration data) from signature-serving endpoints..., /, or %2F sequences; HTTP 200 responses with unexpectedly large or non-image content types from these endpoints.Upgrade Snipe-IT to version 8.5.0 or later, which applies basename() to the filename parameter in ActionlogController::displaySig and several other file-serving endpoints, preventing directory traversal (GitHub Release, GitHub PR). As a temporary workaround if immediate upgrade is not feasible, restrict web server process permissions to the minimum required directories and apply the principle of least privilege to the service account. Additionally, implement network-level controls (e.g., WAF rules) to block requests containing path traversal sequences (../, %2F..) targeting Snipe-IT file-serving endpoints (GitHub Advisory).
The vulnerability was reported by securin-public (Securin) and disclosed via GitHub Security Advisories on June 24, 2026, with the CVE published on July 10, 2026 (GitHub Advisory). The Snipe-IT maintainer (@snipe) merged the fix promptly in April 2026 and highlighted the security fixes in the v8.5.0 release notes, strongly encouraging all users to update (GitHub Release). No significant broader media coverage or notable community controversy has been observed.
ソース: このレポートは AI を使用して生成されました
無料の脆弱性評価
9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。
パーソナライズされたデモを見る
"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"