Medium severityNVD Advisory· Published Jun 23, 2026

Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update

CVE-2026-55482

Description

Impact

The BulkAssetsController::update() method accepts company_id directly from user input without calling Company::getIdForCurrentUser(), the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets across company boundaries, breaking multi-tenancy isolation.

Patches

Patched in https://github.com/grokability/snipe-it/commit/d58fda626e8febfeff4cabbc20ba03edfc411e18

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
snipe/snipe-itPackagist	< 8.4.2	8.4.2

Affected products

Snipeitapp/Snipe Itinferred

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000