PT-2026-57268 · Snipe-It · Snipe-It

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-55476

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.6.0
Description An authenticated user can silently cancel pending asset requests of another user due to insufficient authorization. This occurs when the system processes the cancel by admin URL path segment in the 'POST /account/request/{itemType}/{itemId}/{cancel by admin?}/{requestingUser?}' endpoint, allowing the attacker to specify a victim user ID.
Recommendations Update to version 8.6.0.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55476

Affected Products

Snipe-It