
Cloud Vulnerability DB
コミュニティ主導の脆弱性データベース
CVE-2026-55478 is a missing object-level authorization vulnerability in Snipe-IT, an open-source IT asset and license management system. The flaw exists in the POST /api/v1/kits/{kit_id}/licenses endpoint, which verifies kit-edit permissions but fails to authorize access to the referenced license object, enabling privilege escalation within the asset management context. All versions up to and including 8.6.1 are affected; the issue was disclosed on June 24, 2026, and patched in version 8.6.2 released on June 13, 2026 (GitHub Advisory, Release Notes). It carries a CVSS v3.1 base score of 5.4 (Medium) and a CVSS v4.0 base score of 5.3 (Medium) (Feedly).
The root cause is an authorization bypass through user-controlled key (CWE-639): the storeLicense method in app/Http/Controllers/Api/PredefinedKitsController.php checks only whether the caller holds kits.edit permission, but never performs object-level authorization on the license_id supplied in the request body (GitHub Advisory). An attacker with a low-privilege account holding predefined-kit permissions can supply any arbitrary license_id in a POST request to bind licenses they are not authorized to view or manage into a kit they can edit. The fix, applied in commit 0d870d5, adds License::findOrFail($license_id) followed by $this->authorize('view', $license) before proceeding with the association — and applies the same pattern to consumables and accessories endpoints (GitHub Commit). The vulnerability was reported by researcher Mitchell45 (GitHub Advisory).
A low-privilege user with only predefined-kit permissions can bind any license (or, per the patch scope, consumable or accessory) into an editable kit, regardless of whether they are authorized to view or manage that asset object (GitHub Advisory). This results in limited confidentiality exposure (the attacker can infer the existence and ID of licenses they should not access) and integrity impact (unauthorized modification of kit composition), though availability is not affected (Feedly). The scope is limited to the Snipe-IT application itself and does not enable lateral movement to underlying infrastructure or remote code execution.
kits.edit (predefined-kit) permissions but lacks view/manage permissions on specific licenses.GET /api/v1/kits) with the low-privilege token to list accessible kit IDs.POST /api/v1/kits/{kit_id}/licenses with the target license_id and a quantity value, using the low-privilege API token:POST /api/v1/kits/1/licenses
Authorization: Bearer <low_privilege_token>
Content-Type: application/json
{"license": <unauthorized_license_id>, "quantity": 1}200 OK response confirms the license has been bound to the kit, demonstrating unauthorized access to and manipulation of the license object (GitHub Advisory, GitHub Commit).POST /api/v1/kits/{kit_id}/licenses requests from a user account that does not hold license-view permissions; sequential or enumerated license parameter values in request bodies suggesting brute-force ID enumeration.200 OK responses to POST /api/v1/kits/*/licenses from low-privilege accounts; API access log entries where the authenticated user's role does not include license management permissions.kits_licenses table associating license IDs with kits where the acting user has no license-view grant; similar anomalies in kits_consumables or kits_accessories tables if those endpoints were also targeted.Upgrade Snipe-IT to version 8.6.2 or later, which adds object-level authorization checks ($this->authorize('view', $license)) to the affected API endpoints for licenses, consumables, and accessories (GitHub Commit, Release Notes). As a short-term workaround prior to upgrading, restrict predefined-kit edit permissions to only fully trusted users who also have appropriate license management rights. There is no configuration-only mitigation that fully addresses the missing authorization check without applying the patch (GitHub Advisory).
The vulnerability was reported by researcher Mitchell45 and acknowledged by the Snipe-IT maintainers via a GitHub Security Advisory rated Moderate severity (GitHub Advisory). The fix was included in the v8.6.2 release, which the maintainers noted contains security improvements encouraging all users to upgrade (Release Notes). No significant broader media coverage or notable community debate has been observed beyond standard CVE tracking and aggregator activity.
ソース: このレポートは AI を使用して生成されました
無料の脆弱性評価
9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。
パーソナライズされたデモを見る
"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"