{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-55516","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-06-16T22:44:22.284Z","datePublished":"2026-07-10T18:31:57.507Z","dateUpdated":"2026-07-10T18:31:57.507Z"},"containers":{"cna":{"title":"Snipe-IT: Cross-company asset maintenance re-parenting via API update","problemTypes":[{"descriptions":[{"cweId":"CWE-639","lang":"en","description":"CWE-639: Authorization Bypass Through User-Controlled Key","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/grokability/snipe-it/security/advisories/GHSA-575r-357h-fhch","tags":["x_refsource_CONFIRM"],"url":"https://github.com/grokability/snipe-it/security/advisories/GHSA-575r-357h-fhch"},{"name":"https://github.com/grokability/snipe-it/commit/905d498ecdb0ee5591231c97bf48435e92044368","tags":["x_refsource_MISC"],"url":"https://github.com/grokability/snipe-it/commit/905d498ecdb0ee5591231c97bf48435e92044368"},{"name":"https://github.com/grokability/snipe-it/releases/tag/v8.6.2","tags":["x_refsource_MISC"],"url":"https://github.com/grokability/snipe-it/releases/tag/v8.6.2"}],"affected":[{"vendor":"grokability","product":"snipe-it","versions":[{"version":"< 8.6.2","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-07-10T18:31:57.507Z"},"descriptions":[{"lang":"en","value":"Snipe-IT is an IT asset/license management system. Prior to 8.6.2, PATCH or PUT /api/v1/maintenances/{maintenance_id} checks access to the current maintenance record and asset but then fills attacker-controlled fields including asset_id without re-authorizing the newly supplied asset, allowing an authorized user to move a maintenance record onto an asset outside their company scope. This issue is fixed in version 8.6.2."}],"source":{"advisory":"GHSA-575r-357h-fhch","discovery":"UNKNOWN"}}}}