PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55515 grokability CVE debrief

CVE-2026-55515 is a vulnerability in Snipe-IT, an IT asset/license management system. The unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending()->find($acceptanceId) by global ID without checking access to the related checkoutable asset. This allows a reports user in one company to delete pending checkout acceptance records for another company. The issue is fixed in version 8.6.2. Users should review the vendor's guidance and consider restricting reports.view permissions.

Vendor
grokability
Product
snipe-it
CVSS
MEDIUM 5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of Snipe-IT, especially those with reports.view permissions, should be aware of this vulnerability and take steps to protect their systems. This includes reviewing the affected scope, applying the patch, and monitoring for suspicious activity. Operators, platform administrators, vulnerability managers, and security teams should review the vulnerability details and plan accordingly.

Technical summary

The vulnerability exists in the unaccepted-assets report delete endpoint of Snipe-IT, an IT asset/license management system. The endpoint only requires the reports.view permission and deletes records based on a global ID without verifying access to the related asset. This can be exploited by users with reports.view permissions in one company to delete pending checkout acceptance records of another company. The issue is fixed in version 8.6.2. Users should review the vendor's guidance and consider restricting reports.view permissions.

Defensive priority

Medium

Recommended defensive actions

  • Upgrade to Snipe-IT version 8.6.2 or later
  • Restrict reports.view permissions to trusted users
  • Monitor for suspicious activity on the unaccepted-assets report delete endpoint
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-10T20:16:47.713Z and has not been modified since then. The NVD entry is currently 5.0 MEDIUM. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending()->find($acceptanceId) by global ID without checking access to the related checkoutable asset.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T20:16:47.713Z and has not been modified since then.