Snipe-IT, Authorization Bypass via User-Controlled Key, CVE-2026-55482 (Medium) -DC-Jun2026-618

By /

Listen to this Post

How CVE-2026-55482 Works

Snipe-IT is an open-source IT asset management system that supports multi-tenancy through a “Full Multiple Companies Support” feature. When this feature is enabled, users are scoped to their respective companies and should only be able to view and modify assets belonging to their own company.
The vulnerability resides in the `BulkAssetsController::update()` method, which handles bulk asset update requests. In vulnerable versions (up to and including 8.4.1), this method accepts a `company_id` parameter directly from user input without validating it against the currently authenticated user’s company scope.
In contrast, every other controller in the Snipe-IT codebase uses `Company::getIdForCurrentUser()` to obtain the company ID of the authenticated user, ensuring that all operations are properly scoped. The `BulkAssetsController::update()` bypasses this standard company-scoping function, allowing a remote, authenticated non-superadmin user to supply an arbitrary `company_id` value.
By manipulating this parameter, an attacker can move assets across company boundaries, effectively breaking the multi-tenancy isolation that is fundamental to the system’s security model. This allows a user from one company to modify assets belonging to other companies, leading to unauthorized data access and potential data corruption.
The vulnerability is classified as an authorization bypass through a user-controlled key, specifically an Insecure Direct Object Reference (IDOR) weakness. The fix, implemented in commit d58fda626e8febfeff4cabbc20ba03edfc411e18, modifies the `BulkAssetsController::update()` method to obtain the `company_id` via `Company::getIdForCurrentUser()` instead of accepting it directly from user input.

DailyCVE Form:

Platform: Snipe-IT
Version: ≤8.4.1
Vulnerability: Auth Bypass
Severity: Medium
Date: 2026-06-23

Prediction: 2026-06-23

What Undercode Say:

Analytics & Technical Details

The vulnerability exists in the `app/Http/Controllers/BulkAssetsController.php` file. The vulnerable code accepts `company_id` from the request input:

// Vulnerable code in BulkAssetsController::update()
$company_id = $request->input('company_id');
// No call to Company::getIdForCurrentUser()

The patched code correctly obtains the company ID from the current user’s session:

// Patched code
$company_id = Company::getIdForCurrentUser();

Affected Versions

  • All Snipe-IT versions up to and including 8.4.1

Fixed Version

  • Snipe-IT 8.4.2

Commit

– `d58fda626e8febfeff4cabbc20ba03edfc411e18`

CVSS Score

  • Medium severity

How Exploit:

To exploit this vulnerability, an attacker must:

  1. Have a valid authenticated session as a non-superadmin user
  2. Have the “Full Multiple Companies Support” feature enabled in Snipe-IT
  3. Craft a bulk asset update request to the `/api/bulkassets/update` endpoint

Exploit Request Example:

POST /api/bulkassets/update HTTP/1.1
Host: target-snipe-instance.com
Authorization: Bearer <valid_user_token>
Content-Type: application/json
{
"assets": [1, 2, 3],
"company_id": 5, // Company belonging to another tenant
"status_id": 1,
"location_id": 1
}

By supplying a `company_id` value corresponding to a different company, the attacker can reassign assets to that company, bypassing the intended multi-tenancy restrictions.

Protection:

Immediate Actions:

1. Upgrade to Snipe-IT 8.4.2 immediately

  1. If upgrading is not possible, apply the patch from commit `d58fda626e8febfeff4cabbc20ba03edfc411e18` manually

Code-Level Fix:

Modify `BulkAssetsController::update()` to obtain `company_id` via `Company::getIdForCurrentUser()` instead of accepting it directly from user input:

// Replace
$company_id = $request->input('company_id');
// With
$company_id = Company::getIdForCurrentUser();

Long-Term Recommendations:

  • Implement a centralized authorization middleware that enforces company scoping for all controllers
  • Conduct a security audit of all controllers to ensure `Company::getIdForCurrentUser()` is used consistently
  • Enable logging and monitoring for bulk asset operations to detect anomalous cross-company modifications

Impact:

Business Impact:

  • Breach of Multi-Tenancy Isolation: Non-superadmin users can view and modify assets belonging to other companies, violating the fundamental security boundary of the system
  • Data Integrity Compromise: Attackers can move assets across company boundaries, potentially corrupting asset tracking and inventory records
  • Unauthorized Data Access: Sensitive asset information belonging to other tenants can be accessed without proper authorization

Technical Impact:

  • CWE-639: Authorization Bypass Through User-Controlled Key
  • Attack Vector: Remote, authenticated
  • Privileges Required: Low (authenticated user)
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top