cbcvebase.
CVE-2026-55482
published 2026-06-23

CVE-2026-55482: Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update ### Impact The `BulkAssetsController::update()` method accepts `company_id` directly from user input…

medium
Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update

### Impact
The `BulkAssetsController::update()` method accepts `company_id` directly from user input without calling `Company::getIdForCurrentUser()`, the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets across company boundaries, breaking multi-tenancy isolation.

### Patches
Patched in https://github.com/grokability/snipe-it/commit/d58fda626e8febfeff4cabbc20ba03edfc411e18

Affected

1 ranges
VendorProductVersion rangeFixed in
snipesnipe-it>= 0 < 8.4.28.4.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.