CVE-2026-54329
Undergoing Analysis Undergoing Analysis - In Progress

Accessory Record Creation in Snipe-IT Allows Company ID Manipulation

Vulnerability report for CVE-2026-54329, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while company_id is mass assignable, allowing a low-privileged authenticated user in one company to create accessory records under another company when Full Multiple Companies Support is enabled. This issue is fixed in version 8.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
snipeitapp snipe-it to 8.6.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Snipe-IT IT asset/license management system when the Full Multiple Companies Support (FMCS) feature is enabled. It allows a low-privileged authenticated user from one company to create accessory records under another company by supplying a foreign company_id value in the API request. The root cause is that the Accessories API create path mass-assigns request parameters directly to the Accessory model, including the company_id, without enforcing tenant isolation. This means a user from Company A can inject accessory records into Company B's inventory, compromising the integrity of company-scoped data.

The vulnerability is a cross-tenant data injection issue due to lack of proper company context enforcement in the API controller during accessory creation, unlike the web controller which enforces company scoping. This flaw was fixed in version 8.6.2 of Snipe-IT.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users from one company to create or inject accessory records into another company's inventory. This compromises the integrity and trustworthiness of your asset management data, as users from other companies can add unauthorized or misleading records.

Such unauthorized data injection can lead to confusion, mismanagement of assets, and potential operational disruptions. It represents a tenant isolation failure, meaning that company boundaries are not properly enforced, which could also lead to further security risks if exploited.

The vulnerability has a high severity rating with a CVSS score of 8.5, indicating a significant impact on data integrity and potential availability.

Detection Guidance

This vulnerability involves a low-privileged authenticated user being able to create accessory records under another company by supplying a foreign company_id in API requests when Full Multiple Companies Support (FMCS) is enabled.

To detect this vulnerability on your system, you can monitor API requests to the Accessories API create path for suspicious or unauthorized company_id values that do not match the authenticated user's company.

Specifically, you can look for API calls where the company_id parameter is set to a company different from the user's own company ID.

Suggested commands or methods include:

  • Review API logs for POST requests to the Accessories API create endpoint containing company_id parameters.
  • Use grep or similar tools to filter logs for company_id values that do not match the authenticated user's company.
  • Example command: grep 'POST /api/accessories' /var/log/snipeit/api.log | grep -v 'company_id=<user_company_id>'

Additionally, audit accessory records in the database to identify any that are assigned to companies inconsistent with the creating user's company.

Mitigation Strategies

The primary mitigation step is to upgrade Snipe-IT to version 8.6.2 or later, where this vulnerability has been fixed.

The fix enforces that the company_id for new accessory records is automatically set to the current user's company ID during creation and update operations, preventing unauthorized cross-company assignments.

If upgrading immediately is not possible, consider temporarily disabling Full Multiple Companies Support (FMCS) to prevent cross-tenant data injection.

Also, review and restrict API access permissions to ensure only trusted users have access to accessory creation endpoints.

Monitor logs for suspicious activity as described in the detection section to identify potential exploitation attempts.

Compliance Impact

The vulnerability allows a low-privileged authenticated user from one company to create accessory records under another company when Full Multiple Companies Support (FMCS) is enabled. This cross-tenant data injection compromises the integrity of company-scoped inventory data by allowing unauthorized data creation in another company's context.

Such a tenant isolation failure can lead to unauthorized data manipulation and potential exposure of company-specific information, which may conflict with compliance requirements in standards like GDPR and HIPAA that mandate strict data segregation, integrity, and access controls.

By allowing unauthorized users to inject data into another company's records, the vulnerability undermines data integrity and access control principles critical to regulatory compliance, potentially increasing the risk of non-compliance with data protection regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54329. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart