
Cloud Vulnerability DB
コミュニティ主導の脆弱性データベース
CVE-2026-55476 is a Missing Authorization (CWE-862) vulnerability in Snipe-IT, an open-source IT asset and license management system. The flaw allows any authenticated user to cancel pending asset requests belonging to other users by manipulating the cancel_by_admin URL path segment in the POST /account/request/{itemType}/{itemId}/{cancel_by_admin?}/{requestingUser?} endpoint without proper authorization checks. All versions prior to 8.6.0 are affected. The vulnerability was disclosed on June 24, 2026, via a GitHub Security Advisory, and a patch was released in version 8.6.1. It carries a CVSS v3.1 base score of 4.3 (Medium) and a CVSS v4.0 base score of 5.3 (Medium) (GitHub Advisory).
The root cause is a missing authorization check (CWE-862) in the getRequestItem method of ViewAssetsController.php. The endpoint accepted cancel_by_admin as a plain URL path segment and, in the vulnerable code path, called $item->cancelRequest($requestingUser) without first verifying that the requesting user held admin or superuser privileges. An attacker only needs a valid authenticated session — no elevated permissions are required. By supplying a truthy value for cancel_by_admin and a victim's user ID as requestingUser, the attacker can silently cancel any user's pending asset request. The fix introduced an explicit admin/superuser check ($user->isSuperUser() || $user->isAdmin()) before allowing the cancel_by_admin code path to execute (GitHub Commit, GitHub Advisory).
Successful exploitation allows any authenticated user to interfere with the asset request workflow of other users, including administrators, by silently canceling their pending asset requests. The impact is limited to integrity — there is no confidentiality or availability impact, and no data is exposed or destroyed. However, in environments relying on Snipe-IT for IT asset procurement workflows, this could disrupt legitimate business processes, cause confusion, or be used to sabotage specific users' access to hardware resources (GitHub Advisory).
itemType (e.g., asset) and itemId of the asset the victim has requested.cancel_by_admin set to a truthy value (e.g., 1) and requestingUser set to the victim's user ID:POST /account/request/asset/{itemId}/1/{victimUserId}/account/request/{itemType}/{itemId}/1/{userId} from non-admin user accounts; requests where cancel_by_admin is set to a truthy value by users who are not administrators.RequestCanceled action log entries attributed to non-admin users for asset requests they did not own.canceled_at timestamps in the checkout_requests table for records where the canceling user is not the request owner and not an admin.The primary remediation is to upgrade Snipe-IT to version 8.6.1 or later, which introduces a proper admin/superuser check before allowing the cancel_by_admin code path (GitHub Advisory, v8.6.0 Release). Note that while the NVD entry references 8.6.0 as the fix version, the GitHub Security Advisory specifies the patched version as 8.6.1. As a temporary workaround if immediate upgrade is not possible, restrict network-level access to the /account/request endpoint to trusted users or IP ranges, or limit Snipe-IT access to only trusted internal users until the patch can be applied.
The vulnerability was reported by researchers iltosec and Mitchell45 and disclosed via GitHub's security advisory program (GitHub Advisory). A Medium article was published shortly after disclosure describing the vulnerability as an IDOR-style authorization bypass. Community reaction has been limited given the moderate severity rating and lack of active exploitation.
ソース: このレポートは AI を使用して生成されました
無料の脆弱性評価
9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。
パーソナライズされたデモを見る
"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"