PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54329 grokability CVE debrief

CVE-2026-54329 is a high-severity vulnerability in Snipe-IT's Accessories API. Prior to version 8.6.2, the API's create path mass-assigns request parameters to the Accessory model, allowing a low-privileged authenticated user in one company to create accessory records under another company when Full Multiple Companies Support is enabled. This issue is fixed in version 8.6.2. The vulnerability exists due to mass-assignable company_id, which can be manipulated by an attacker. Administrators should be aware of this vulnerability and take immediate action to upgrade or apply necessary patches.

Vendor
grokability
Product
snipe-it
CVSS
HIGH 8.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Administrators and users of Snipe-IT, especially those with multiple companies and low-privileged authenticated users, should be aware of this vulnerability and take immediate action to upgrade to version 8.6.2 or apply necessary patches. Affected operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability details and plan accordingly.

Technical summary

The vulnerability exists in the Accessories API's create path, where request parameters are mass-assigned to the Accessory model. This allows an attacker to manipulate the company_id parameter, creating accessory records under a different company. The issue is exacerbated by the fact that company_id is mass-assignable. To exploit this vulnerability, an attacker would need to be a low-privileged authenticated user in one company, and the target Snipe-IT instance would need to have Full Multiple Companies Support enabled.

Defensive priority

High priority should be given to upgrading Snipe-IT to version 8.6.2 or applying necessary patches. Additionally, administrators should review and restrict access to the Accessories API, ensuring that only authorized users can create accessory records.

Recommended defensive actions

  • Upgrade Snipe-IT to version 8.6.2 or later
  • Restrict access to the Accessories API
  • Monitor for suspicious activity
  • Review and update user privileges
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-07-10T19:17:24.440Z and was last modified on 2026-07-10T21:16:55.297Z. The NVD entry is currently Analyzed. This information is based on the supplied source corpus and may not reflect additional details. Defenders should verify the affected scope and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T19:17:24.440Z and has not been modified since then. The NVD entry is currently Analyzed.