Snipe-IT is an IT asset/license management system. Prior to version 8.6.1, Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated users who know a signature filename can obtain a 5-minute signed S3 URL because the S3 branch returns before the `authorize()` call used by the local-file branch. Version 8.6.1 contains a patch.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-6mmj-jhqj-6c6q | Snipe-IT's S3 signature image retrieval lacks authorization before temporary URL |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 08 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Grokability
Grokability snipe-it |
|
| Vendors & Products |
Grokability
Grokability snipe-it |
Wed, 08 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Snipe-IT is an IT asset/license management system. Prior to version 8.6.1, Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated users who know a signature filename can obtain a 5-minute signed S3 URL because the S3 branch returns before the `authorize()` call used by the local-file branch. Version 8.6.1 contains a patch. | |
| Title | Snipe-IT's S3 signature image retrieval lacks authorization before temporary URL | |
| Weaknesses | CWE-862 | |
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-08T20:32:14.897Z
Reserved: 2026-06-16T23:01:04.074Z
Link: CVE-2026-55542
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T21:30:08Z
Weaknesses
Github GHSA