CVE-2026-54329 in snipe-it
Summary
by MITRE • 07/10/2026
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while company_id is mass assignable, allowing a low-privileged authenticated user in one company to create accessory records under another company when Full Multiple Companies Support is enabled. This issue is fixed in version 8.6.2.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability identified in Snipe-IT versions prior to 8.6.2 represents a critical access control flaw that undermines the security boundaries between organizations within a multi-tenant environment. This issue manifests through improper parameter handling in the Accessories API create endpoint, where request parameters are mass-assigned to the Accessory model without adequate sanitization or validation. The root cause stems from the mass assignable nature of the company_id field, which allows unauthorized manipulation of organizational boundaries through API requests.
The technical implementation of this vulnerability exploits the lack of proper input validation and access control enforcement within the application's parameter handling mechanism. When Full Multiple Companies Support is enabled, the system should maintain strict isolation between different companies' data repositories, yet the mass assignment process fails to validate that the requesting user has authorization to create records under the specified company identifier. This creates a scenario where a low-privileged authenticated user belonging to one organization can manipulate the company_id parameter to reference another organization's company ID, thereby creating accessory records in that organization's namespace.
The operational impact of this vulnerability extends beyond simple data integrity concerns, as it enables cross-company data injection and potential information disclosure. An attacker could leverage this flaw to pollute another organization's accessory records with malicious data, potentially disrupting inventory management processes or creating confusion in asset tracking. The vulnerability essentially allows privilege escalation through data manipulation rather than direct access control bypass, making it particularly insidious as it operates within legitimate API pathways that should be restricted by company boundaries.
This issue aligns with CWE-915 which addresses improper control of a resource through pointer manipulation, and more specifically relates to CWE-284 which covers inadequate access control. From an ATT&CK perspective, this vulnerability maps to TA0001 Initial Access and TA0003 Persistence techniques, as it allows attackers to establish unauthorized access to another organization's data resources through API endpoints. The vulnerability also touches upon T1078 Valid Accounts as it exploits legitimate authenticated user sessions to perform unauthorized actions within the system.
Organizations using Snipe-IT with Full Multiple Companies Support enabled should immediately implement mitigation strategies including immediate patching to version 8.6.2 or later, where proper parameter validation and access control enforcement has been implemented. Additional mitigations include implementing stricter API request validation that prevents mass assignment of sensitive fields, enforcing company-level access controls at the API boundary, and conducting thorough security testing of all parameter handling mechanisms within multi-tenant applications. System administrators should also consider implementing monitoring for unusual creation patterns in accessory records that might indicate cross-company data injection attempts.