PatchSiren cyber security CVE debrief
CVE-2026-55461 grokability CVE debrief
CVE-2026-55461 is an open redirect vulnerability in Snipe-IT, a popular IT asset/license management system. The vulnerability allows an attacker to redirect a Snipe-IT user to a malicious website after a legitimate user edit action. This is possible because the user edit flow stores the URL from the attacker-controlled Referer header into Laravel's intended URL session value and later uses redirect()->intended(...) when redirect_option=back is submitted. The vulnerability has a CVSS score of 6.1 and is classified as MEDIUM severity. Administrators and users of Snipe-IT versions prior to 8.6.2 should be aware of this vulnerability and take steps to mitigate it.
- Vendor
- grokability
- Product
- snipe-it
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Administrators and users of Snipe-IT versions prior to 8.6.2 should be aware of this vulnerability and take steps to mitigate it. This vulnerability has a CVSS score of 6.1 and is classified as MEDIUM severity. Operators, platform administrators, and security teams should review the affected scope and take necessary actions to protect their systems.
Technical summary
The vulnerability exists in the user edit flow of Snipe-IT, where the URL from the Referer header is stored in the Laravel session value. When the redirect_option=back parameter is submitted, the application uses redirect()->intended(...) to redirect the user. An attacker can exploit this by providing a malicious URL in the Referer header, allowing them to redirect the user to a malicious website. This issue is fixed in Snipe-IT version 8.6.2. The vulnerability has a CVSS score of 6.1 and is classified as MEDIUM severity.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to Snipe-IT version 8.6.2 or later
- Implement input validation and sanitization for the Referer header
- Monitor for suspicious redirect activity
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-10T20:16:46.713Z and has not been modified since then. The NVD entry is currently 6.1/MEDIUM. There is limited source detail available for this CVE, and defenders should verify the affected scope and severity with the vendor. The CVE is an open redirect vulnerability in Snipe-IT, a popular IT asset/license management system.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T20:16:46.713Z and has not been modified since then.