Snipe-IT, Authorization Bypass, CVE-2026-55472 (Medium) -DC-Jul2026-890

Listen to this Post

CVE-2026-55472 is an authorization bypass vulnerability affecting Snipe-IT, an open‑source IT asset and license management system. The flaw exists in the API location creation endpoint and is triggered only when two specific administrative features are enabled: Full Multiple Companies Support and the scope_locations_fmcs configuration option. These settings are designed to enforce strict multi‑tenancy, isolating location hierarchies and assets between different companies within a single Snipe‑IT instance.
The vulnerability arises from a logic error in the input validation routine. When an authenticated user (even with low privileges) submits a request to create a new location via the API, the system is supposed to verify that the chosen parent location belongs to the same company as the new child location. If the parent and child companies do not match, the request should be aborted immediately, and an error response should be returned.
However, in versions prior to 8.6.2, the code correctly detects the company mismatch but does not return immediately – the execution continues past the validation check. As a result, the application proceeds to create the child location and associates it with the foreign parent location, effectively bypassing the company boundary. The parent‑child relationship is stored in the database, but the company isolation that the FMCS feature was meant to enforce is silently broken.
This flaw is particularly dangerous because it can be exploited by any authenticated user who knows or can guess the ID of a location belonging to another company. The attacker does not need elevated privileges; they only need to be able to call the location creation API endpoint. The exploitation is performed over the network, requires no user interaction, and has low attack complexity. The vulnerability is classified under CWE‑863 (Incorrect Authorization) and CWE‑698 (Execution After Invalid Termination), and it aligns with MITRE ATT&CK techniques T1078 (Valid Accounts) and T1531 (Account Access Removal).
Once exploited, the attacker can create arbitrary location hierarchies that span across companies, undermining the multi‑tenant isolation that is critical for organisations that manage assets for multiple clients or business units. This can lead to unauthorised access to asset data, misattribution of licenses and hardware, and confusion in reporting. The issue was addressed by the Snipe‑IT maintainers in commit `9a8cbd6` and officially released in version 8.6.2. All earlier versions are vulnerable if the two prerequisite features are enabled.

DailyCVE Form:

Platform: Snipe-IT
Version: < 8.6.2
Vulnerability: Authorization Bypass
Severity: Medium (CVSS 4.3)
Date: 2026-07-10

Prediction: Already patched (8.6.2)

What Undercode Say: Analytics

  • CVSS v3.1 Vector: `AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N`
    – Base Score: 4.3 (Medium)
  • Exploitability Score: 2.8 (Low attack complexity, network exploitable)
  • Impact Score: 1.4 (Low confidentiality impact, no integrity/availability impact)
  • CWE: CWE‑863 (Incorrect Authorization)
  • EPSS: Not yet available
  • Public Exploits: No public proof‑of‑concept has been published as of the disclosure date.
    To verify your Snipe‑IT version, run the following command from the installation root:

    php artisan snipeit:version
    

    Or check the `version` field in the `.env` file or the `config/app.php` configuration.
    To audit existing locations for potential cross‑company parent‑child relationships, you can use the built‑in scoping report (if you have the FMCS and location scoping features enabled). The following Artisan command generates a report of conflicting items, users, and locations where the company and location are mismatched:

    php artisan snipeit:location-scoping-report
    

    If you are unable to upgrade immediately, you can temporarily disable the `scope_locations_fmcs` setting in the administration panel, although this will reduce the isolation capabilities of the system.

Exploit

An attacker with a valid account can craft a POST request to the location creation endpoint, for example:

POST /api/v1/locations
Host: snipe-it.example.com
Authorization: Bearer <valid_user_token>
Content-Type: application/json
{
"name": "Malicious Child Location",
"parent_id": 42, // ID of a location belonging to another company
"company_id": 1 // Attacker's own company ID
}

In vulnerable versions, the server detects that the parent location (ID 42) belongs to a different company but does not abort the request. The child location is created and linked to the foreign parent, effectively breaking the company isolation.

A more detailed exploit flow using `curl`:

curl -X POST https://snipe-it.example.com/api/v1/locations \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"name":"CrossCompanyLoc","parent_id":42,"company_id":1}'

If the response returns a `201 Created` with the new location details (including the `parent_id` set to 42), the system is vulnerable.

Protection

  • Immediate action: Upgrade Snipe‑IT to version 8.6.2 or later. The fix is included in commit 9a8cbd6 and the official release v8.6.2.
  • Workaround: If an upgrade is not possible, disable the `scope_locations_fmcs` option in the Snipe‑IT administration panel. This will prevent the vulnerable code path from being exercised, at the cost of losing location‑based scoping.
  • Post‑upgrade audit: After applying the patch, run the location scoping report to identify any existing cross‑company location relationships that may have been created before the fix. Manually review and correct any anomalies.

Impact

  • Multi‑tenancy breakdown: Organisations using Snipe‑IT to manage assets for multiple independent companies or clients lose the isolation that FMCS is supposed to provide. Assets and locations from different companies can become entangled, leading to incorrect inventory and license assignments.
  • Data leakage: An attacker can create locations under a foreign company’s parent, potentially gaining visibility into asset structures that should be restricted. Although the CVSS score rates confidentiality impact as “Low”, the actual business impact can be higher if sensitive asset information (e.g., high‑value hardware, proprietary software licenses) becomes exposed across company boundaries.
  • Compliance violations: For organisations subject to data protection regulations (e.g., GDPR, HIPAA), a breach of multi‑tenant isolation may constitute a compliance failure, with associated legal and financial repercussions.
  • Privilege escalation vector: By manipulating location hierarchies, an attacker might be able to associate assets with the wrong company, leading to misallocated permissions or even unauthorised access to resources that belong to other tenants.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top