CVE-2026-55542: Transformers — LOW

Q: Is CVE-2026-55542 actively exploited?

No confirmed active exploitation of CVE-2026-55542 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-55542?

Update to patched version: Transformers 8.5.1.

Q: What is the CVSS score for CVE-2026-55542?

No CVSS score has been assigned yet.

### Impact Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated users who know a signature filename can obtain a 5-minute signed S3 URL because the S3 branch returns before the `authorize()` call used by the local-file branch. ##...

Full CISO analysis pending enrichment.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Transformers	composer	<= 8.5.0	`8.5.1`
161.8K OpenSSF 6.4 8.3K dependents Pushed 4d ago 40% patched ~92d to patch Full package profile →

Do you use Transformers? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

N/A

What should I do?

Patch available

Update Transformers to version 8.5.1

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-55542?

### Impact Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated users who know a signature filename can obtain a 5-minute signed S3 URL because the S3 branch returns before the `authorize()` call used by the local-file branch. ## Key evidence `routes/web.php:135-143`; `app/Http/Controllers/ActionlogController.php:16-44`; `app/Http/Controllers/Account/AcceptanceController.php:160,175`; `app/Listeners/LogListener.php:56`; `app/Http/Transformers/ActionlogsTransformer.php:188` ### Patches Patched in https://github.com/grokability/snipe-it/commit/ded6515cbc27a28f07395da318483c2e96263259 ### Credit Disclosed by Ikaro tiagonas

Is CVE-2026-55542 actively exploited?

No confirmed active exploitation of CVE-2026-55542 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-55542?

Update to patched version: Transformers 8.5.1.

What is the CVSS score for CVE-2026-55542?

No CVSS score has been assigned yet.

What are the technical details?

Original Advisory

### Impact Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated users who know a signature filename can obtain a 5-minute signed S3 URL because the S3 branch returns before the `authorize()` call used by the local-file branch. ## Key evidence `routes/web.php:135-143`; `app/Http/Controllers/ActionlogController.php:16-44`; `app/Http/Controllers/Account/AcceptanceController.php:160,175`; `app/Listeners/LogListener.php:56`; `app/Http/Transformers/ActionlogsTransformer.php:188` ### Patches Patched in https://github.com/grokability/snipe-it/commit/ded6515cbc27a28f07395da318483c2e96263259 ### Credit Disclosed by Ikaro tiagonas

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.