Snipe-IT is an IT asset/license management system. Prior to 8.6.0, POST /account/request/{itemType}/{itemId}/{cancel_by_admin?}/{requestingUser?} accepts cancel_by_admin as a URL path segment without sufficient authorization, allowing an authenticated user to supply a victim user ID and silently cancel that user’s pending asset requests. This issue is fixed in version 8.6.0.
Metrics
Affected Vendors & Products
References
History
Fri, 10 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Grokability
Grokability snipe-it |
|
| Vendors & Products |
Grokability
Grokability snipe-it |
Fri, 10 Jul 2026 19:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Snipe-IT is an IT asset/license management system. Prior to 8.6.0, POST /account/request/{itemType}/{itemId}/{cancel_by_admin?}/{requestingUser?} accepts cancel_by_admin as a URL path segment without sufficient authorization, allowing an authenticated user to supply a victim user ID and silently cancel that user’s pending asset requests. This issue is fixed in version 8.6.0. | |
| Title | Snipe-IT: Unauthorized Asset Request Cancellation via Unguarded cancel_by_admin Parameter | |
| Weaknesses | CWE-862 | |
| References |
|
|
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-10T18:35:49.893Z
Reserved: 2026-06-16T22:10:37.609Z
Link: CVE-2026-55476
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T20:30:04Z