CVE-2026-55478
NixOS 脆弱性の分析と軽減

概要

CVE-2026-55478 is a missing object-level authorization vulnerability in Snipe-IT, an open-source IT asset and license management system. The flaw exists in the POST /api/v1/kits/{kit_id}/licenses endpoint, which verifies kit-edit permissions but fails to authorize access to the referenced license object, enabling privilege escalation within the asset management context. All versions up to and including 8.6.1 are affected; the issue was disclosed on June 24, 2026, and patched in version 8.6.2 released on June 13, 2026 (GitHub Advisory, Release Notes). It carries a CVSS v3.1 base score of 5.4 (Medium) and a CVSS v4.0 base score of 5.3 (Medium) (Feedly).

技術的な詳細

The root cause is an authorization bypass through user-controlled key (CWE-639): the storeLicense method in app/Http/Controllers/Api/PredefinedKitsController.php checks only whether the caller holds kits.edit permission, but never performs object-level authorization on the license_id supplied in the request body (GitHub Advisory). An attacker with a low-privilege account holding predefined-kit permissions can supply any arbitrary license_id in a POST request to bind licenses they are not authorized to view or manage into a kit they can edit. The fix, applied in commit 0d870d5, adds License::findOrFail($license_id) followed by $this->authorize('view', $license) before proceeding with the association — and applies the same pattern to consumables and accessories endpoints (GitHub Commit). The vulnerability was reported by researcher Mitchell45 (GitHub Advisory).

影響

A low-privilege user with only predefined-kit permissions can bind any license (or, per the patch scope, consumable or accessory) into an editable kit, regardless of whether they are authorized to view or manage that asset object (GitHub Advisory). This results in limited confidentiality exposure (the attacker can infer the existence and ID of licenses they should not access) and integrity impact (unauthorized modification of kit composition), though availability is not affected (Feedly). The scope is limited to the Snipe-IT application itself and does not enable lateral movement to underlying infrastructure or remote code execution.

エクスプロイテーションのステップ

  1. Obtain a low-privilege account: Acquire or create a Snipe-IT user account that has kits.edit (predefined-kit) permissions but lacks view/manage permissions on specific licenses.
  2. Enumerate kit IDs: Use the Snipe-IT API (e.g., GET /api/v1/kits) with the low-privilege token to list accessible kit IDs.
  3. Enumerate or guess license IDs: Attempt to identify license object IDs by brute-forcing sequential integer IDs or leveraging any other information disclosure in the application.
  4. Send unauthorized bind request: Issue a crafted POST request to POST /api/v1/kits/{kit_id}/licenses with the target license_id and a quantity value, using the low-privilege API token:
    POST /api/v1/kits/1/licenses
    Authorization: Bearer <low_privilege_token>
    Content-Type: application/json
    
    {"license": <unauthorized_license_id>, "quantity": 1}
  5. Confirm unauthorized association: A successful 200 OK response confirms the license has been bound to the kit, demonstrating unauthorized access to and manipulation of the license object (GitHub Advisory, GitHub Commit).

妥協の兆候

  • Network: Repeated POST /api/v1/kits/{kit_id}/licenses requests from a user account that does not hold license-view permissions; sequential or enumerated license parameter values in request bodies suggesting brute-force ID enumeration.
  • Logs: Snipe-IT application logs showing successful 200 OK responses to POST /api/v1/kits/*/licenses from low-privilege accounts; API access log entries where the authenticated user's role does not include license management permissions.
  • Database: Unexpected entries in the kits_licenses table associating license IDs with kits where the acting user has no license-view grant; similar anomalies in kits_consumables or kits_accessories tables if those endpoints were also targeted.

軽減策と回避策

Upgrade Snipe-IT to version 8.6.2 or later, which adds object-level authorization checks ($this->authorize('view', $license)) to the affected API endpoints for licenses, consumables, and accessories (GitHub Commit, Release Notes). As a short-term workaround prior to upgrading, restrict predefined-kit edit permissions to only fully trusted users who also have appropriate license management rights. There is no configuration-only mitigation that fully addresses the missing authorization check without applying the patch (GitHub Advisory).

コミュニティの反応

The vulnerability was reported by researcher Mitchell45 and acknowledged by the Snipe-IT maintainers via a GitHub Security Advisory rated Moderate severity (GitHub Advisory). The fix was included in the v8.6.2 release, which the maintainers noted contains security improvements encouraging all users to upgrade (Release Notes). No significant broader media coverage or notable community debate has been observed beyond standard CVE tracking and aggregator activity.

関連情報


ソースこのレポートは AI を使用して生成されました

関連 NixOS 脆弱 性:

CVE 識別子

重大度

スコア

テクノロジー

コンポーネント名

CISA KEV エクスプロイト

修正あり

公開日

CVE-2026-55516HIGH7.7
  • NixOS logoNixOS
  • snipe-it
いいえはいJul 10, 2026
CVE-2026-55474HIGH7.1
  • NixOS logoNixOS
  • snipe-it
いいえはいJul 10, 2026
CVE-2026-55843HIGH7
  • NixOS logoNixOS
  • snipe-it
いいえはいJul 10, 2026
CVE-2026-55478MEDIUM5.3
  • NixOS logoNixOS
  • snipe-it
いいえはいJul 10, 2026
CVE-2026-55476MEDIUM5.3
  • NixOS logoNixOS
  • snipe-it
いいえはいJul 10, 2026

無料の脆弱性評価

クラウドセキュリティポスチャーのベンチマーク

9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。

評価を依頼する

パーソナライズされたデモを見る

実際に Wiz を見てみませんか?​

"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
デビッド・エストリックCISO (最高情報責任者)
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
アダム・フレッチャーチーフ・セキュリティ・オフィサー
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"
グレッグ・ポニャトフスキ脅威および脆弱性管理責任者