CVE-2026-55482

Name of the Vulnerable Software and Affected Versions Snipe-IT (affected versions not specified)

Description An authorization bypass exists in the BulkAssetsController::update() function. The system accepts the company id variable directly from user input without utilizing the standard company-scoping function Company::getIdForCurrentUser(). This allows a non-superadmin user to move assets across company boundaries, which compromises multi-tenancy isolation (a security architecture that ensures data from different customers or companies is kept separate).

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.