CVE-2026-55472
Undergoing Analysis Undergoing Analysis - In Progress

Location Creation Bypass in Snipe-IT with FMC

Vulnerability report for CVE-2026-55472, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, when Full Multiple Companies Support and scope_locations_fmcs are enabled, the API location creation endpoint detects an invalid parent-child company mismatch but does not return immediately, allowing creation of a child location under a parent location from a different company. This issue is fixed in version 8.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
snipeitapp snipe-it to 8.6.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55472 is a vulnerability in the Snipe-IT asset management system affecting versions 8.6.1 and earlier. When both Full Multiple Companies Support (FMCS) and scope_locations_fmcs are enabled, the API endpoint for creating locations fails to properly enforce company boundary validation.

Although the system detects an invalid parent/child company relationship, it does not immediately reject the request, allowing the creation of a child location under a parent location from a different company. This flaw enables cross-company parent/child relationships to be created in the location hierarchy, compromising company isolation.

The issue does not occur in the Web interface, which correctly rejects such relationships. The vulnerability has been patched in version 8.6.2.

Detection Guidance

This vulnerability occurs when the API endpoint for creating locations allows a parent location from a different company to be assigned, bypassing company boundary validation.

To detect this vulnerability on your system, you can test the API location creation endpoint by attempting to create a location with a parent location belonging to a different company when Full Multiple Companies Support (FMCS) and scope_locations_fmcs are enabled.

If the API accepts and creates such a location without immediate rejection, your system is vulnerable.

Suggested command (using curl) to test the API endpoint might look like this:

  • curl -X POST https://your-snipeit-instance/api/v1/locations -H "Authorization: Bearer YOUR_API_TOKEN" -H "Content-Type: application/json" -d '{"name": "Test Location", "parent_id": DIFFERENT_COMPANY_PARENT_ID, "company_id": YOUR_COMPANY_ID}'

If the response indicates success and the location is created despite the parent location belonging to a different company, the vulnerability is present.

Mitigation Strategies

The primary mitigation step is to upgrade your Snipe-IT installation to version 8.6.2 or later, where this vulnerability has been fixed.

The fix ensures that the API and web controllers properly validate that a location's parent belongs to the same company, preventing cross-company parent-child location creation.

Until you can upgrade, consider disabling Full Multiple Companies Support (FMCS) or scope_locations_fmcs features if feasible, to reduce exposure.

Additionally, monitor API usage for suspicious location creation requests that might violate company boundaries.

Impact Analysis

This vulnerability can impact you by compromising the isolation between companies within the Snipe-IT system. It allows the creation of location entries that link parent and child locations across different companies, which violates intended company boundaries.

Such cross-company relationships can lead to confusion or errors in asset and license management, potentially affecting downstream business logic that relies on accurate company-specific data.

The vulnerability requires low privileges and no user interaction, and can be exploited over the network, making it a moderate risk.

Compliance Impact

The vulnerability allows creation of child locations under parent locations from different companies, compromising company isolation within the Snipe-IT asset management system.

This cross-company data boundary violation could potentially lead to unauthorized access or mixing of company-specific data, which may impact compliance with regulations that require strict data segregation and protection, such as GDPR or HIPAA.

However, the CVE description and resources do not explicitly mention any direct impact or assessment related to compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55472. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart