Improper API Handling in Snipe-IT IT Asset Management System
CVE-2026-55472

4.3MEDIUM

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55472?

Snipe-IT is an open-source IT asset and license management system that faced a notable issue prior to version 8.6.2. When the Full Multiple Companies Support feature and scope_locations_fmcs are enabled, there is a flaw in the API location creation endpoint. This flaw allows an invalid parent-child company relationship to be established, as the system fails to immediately reject the creation of a child location under a parent location from a different company. Consequently, this could lead to significant data integrity issues. This vulnerability has been addressed in version 8.6.2, which users are strongly advised to upgrade to for improved security.

Affected Version(s)

snipe-it < 8.6.2

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.