Improper API Handling in Snipe-IT IT Asset Management System
CVE-2026-55472
4.3MEDIUM
What is CVE-2026-55472?
Snipe-IT is an open-source IT asset and license management system that faced a notable issue prior to version 8.6.2. When the Full Multiple Companies Support feature and scope_locations_fmcs are enabled, there is a flaw in the API location creation endpoint. This flaw allows an invalid parent-child company relationship to be established, as the system fails to immediately reject the creation of a child location under a parent location from a different company. Consequently, this could lead to significant data integrity issues. This vulnerability has been addressed in version 8.6.2, which users are strongly advised to upgrade to for improved security.
Affected Version(s)
snipe-it < 8.6.2
