PatchSiren cyber security CVE debrief
CVE-2026-54329 grokability CVE debrief
CVE-2026-54329 is a high-severity vulnerability in Snipe-IT's Accessories API. Prior to version 8.6.2, the API's create path mass-assigns request parameters to the Accessory model, allowing a low-privileged authenticated user in one company to create accessory records under another company when Full Multiple Companies Support is enabled. This issue is fixed in version 8.6.2. The vulnerability exists due to mass-assignable company_id, which can be manipulated by an attacker. Administrators should be aware of this vulnerability and take immediate action to upgrade or apply necessary patches.
- Vendor
- grokability
- Product
- snipe-it
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Administrators and users of Snipe-IT, especially those with multiple companies and low-privileged authenticated users, should be aware of this vulnerability and take immediate action to upgrade to version 8.6.2 or apply necessary patches. Affected operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability details and plan accordingly.
Technical summary
The vulnerability exists in the Accessories API's create path, where request parameters are mass-assigned to the Accessory model. This allows an attacker to manipulate the company_id parameter, creating accessory records under a different company. The issue is exacerbated by the fact that company_id is mass-assignable. To exploit this vulnerability, an attacker would need to be a low-privileged authenticated user in one company, and the target Snipe-IT instance would need to have Full Multiple Companies Support enabled.
Defensive priority
High priority should be given to upgrading Snipe-IT to version 8.6.2 or applying necessary patches. Additionally, administrators should review and restrict access to the Accessories API, ensuring that only authorized users can create accessory records.
Recommended defensive actions
- Upgrade Snipe-IT to version 8.6.2 or later
- Restrict access to the Accessories API
- Monitor for suspicious activity
- Review and update user privileges
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-07-10T19:17:24.440Z and was last modified on 2026-07-10T21:16:55.297Z. The NVD entry is currently Analyzed. This information is based on the supplied source corpus and may not reflect additional details. Defenders should verify the affected scope and vendor guidance.
Official resources
-
CVE-2026-54329 CVE record
CVE.org
-
CVE-2026-54329 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T19:17:24.440Z and has not been modified since then. The NVD entry is currently Analyzed.