CVE-2026-55476
NixOS 脆弱性の分析と軽減

概要

CVE-2026-55476 is a Missing Authorization (CWE-862) vulnerability in Snipe-IT, an open-source IT asset and license management system. The flaw allows any authenticated user to cancel pending asset requests belonging to other users by manipulating the cancel_by_admin URL path segment in the POST /account/request/{itemType}/{itemId}/{cancel_by_admin?}/{requestingUser?} endpoint without proper authorization checks. All versions prior to 8.6.0 are affected. The vulnerability was disclosed on June 24, 2026, via a GitHub Security Advisory, and a patch was released in version 8.6.1. It carries a CVSS v3.1 base score of 4.3 (Medium) and a CVSS v4.0 base score of 5.3 (Medium) (GitHub Advisory).

技術的な詳細

The root cause is a missing authorization check (CWE-862) in the getRequestItem method of ViewAssetsController.php. The endpoint accepted cancel_by_admin as a plain URL path segment and, in the vulnerable code path, called $item->cancelRequest($requestingUser) without first verifying that the requesting user held admin or superuser privileges. An attacker only needs a valid authenticated session — no elevated permissions are required. By supplying a truthy value for cancel_by_admin and a victim's user ID as requestingUser, the attacker can silently cancel any user's pending asset request. The fix introduced an explicit admin/superuser check ($user->isSuperUser() || $user->isAdmin()) before allowing the cancel_by_admin code path to execute (GitHub Commit, GitHub Advisory).

影響

Successful exploitation allows any authenticated user to interfere with the asset request workflow of other users, including administrators, by silently canceling their pending asset requests. The impact is limited to integrity — there is no confidentiality or availability impact, and no data is exposed or destroyed. However, in environments relying on Snipe-IT for IT asset procurement workflows, this could disrupt legitimate business processes, cause confusion, or be used to sabotage specific users' access to hardware resources (GitHub Advisory).

エクスプロイテーションのステップ

  1. Authenticate: Log in to a vulnerable Snipe-IT instance (any version prior to 8.6.0) with any valid user account — no admin privileges required.
  2. Identify a victim: Enumerate or guess the user ID of a target user who has a pending asset request. User IDs may be discoverable through the application's UI or API.
  3. Identify a target asset: Determine the itemType (e.g., asset) and itemId of the asset the victim has requested.
  4. Craft the malicious request: Send a POST request to the endpoint with cancel_by_admin set to a truthy value (e.g., 1) and requestingUser set to the victim's user ID:
    POST /account/request/asset/{itemId}/1/{victimUserId}
  5. Request processed: The server, lacking an authorization check, processes the cancellation as if it were an admin action, silently canceling the victim's pending asset request without their knowledge (GitHub Advisory, GitHub Commit).

妥協の兆候

  • Network/HTTP Logs: Unexpected POST requests to /account/request/{itemType}/{itemId}/1/{userId} from non-admin user accounts; requests where cancel_by_admin is set to a truthy value by users who are not administrators.
  • Application Logs: Entries in Snipe-IT logs showing RequestCanceled action log entries attributed to non-admin users for asset requests they did not own.
  • Database: Unexpected canceled_at timestamps in the checkout_requests table for records where the canceling user is not the request owner and not an admin.
  • Behavioral: Users reporting their pending asset requests being canceled without their action or admin notification, particularly if alert emails are disabled or misconfigured.

軽減策と回避策

The primary remediation is to upgrade Snipe-IT to version 8.6.1 or later, which introduces a proper admin/superuser check before allowing the cancel_by_admin code path (GitHub Advisory, v8.6.0 Release). Note that while the NVD entry references 8.6.0 as the fix version, the GitHub Security Advisory specifies the patched version as 8.6.1. As a temporary workaround if immediate upgrade is not possible, restrict network-level access to the /account/request endpoint to trusted users or IP ranges, or limit Snipe-IT access to only trusted internal users until the patch can be applied.

コミュニティの反応

The vulnerability was reported by researchers iltosec and Mitchell45 and disclosed via GitHub's security advisory program (GitHub Advisory). A Medium article was published shortly after disclosure describing the vulnerability as an IDOR-style authorization bypass. Community reaction has been limited given the moderate severity rating and lack of active exploitation.

関連情報


ソースこのレポートは AI を使用して生成されました

関連 NixOS 脆弱 性:

CVE 識別子

重大度

スコア

テクノロジー

コンポーネント名

CISA KEV エクスプロイト

修正あり

公開日

CVE-2026-55516HIGH7.7
  • NixOS logoNixOS
  • snipe-it
いいえはいJul 10, 2026
CVE-2026-55474HIGH7.1
  • NixOS logoNixOS
  • snipe-it
いいえはいJul 10, 2026
CVE-2026-55843HIGH7
  • NixOS logoNixOS
  • snipe-it
いいえはいJul 10, 2026
CVE-2026-55478MEDIUM5.3
  • NixOS logoNixOS
  • snipe-it
いいえはいJul 10, 2026
CVE-2026-55476MEDIUM5.3
  • NixOS logoNixOS
  • snipe-it
いいえはいJul 10, 2026

無料の脆弱性評価

クラウドセキュリティポスチャーのベンチマーク

9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。

評価を依頼する

パーソナライズされたデモを見る

実際に Wiz を見てみませんか?​

"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
デビッド・エストリックCISO (最高情報責任者)
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
アダム・フレッチャーチーフ・セキュリティ・オフィサー
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"
グレッグ・ポニャトフスキ脅威および脆弱性管理責任者