CVE-2026-54329

HIGHPre-NVD 8.58.5
EchelonGraph scoreLOW confidence

This high-severity CVE scores 8.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
8.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 8.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection

Impact

A cross-tenant data injection vulnerability was identified in the Snipe-IT Accessories API when Full Multiple Companies Support (FMCS) is enabled. A low-privileged authenticated user belonging to one company can create an accessory record under another company by supplying a foreign company_id value in the API request body.

The issue occurs because the API create path mass-assigns request parameters directly to the Accessory model, and the Accessory model allows company_id to be mass assigned. Unlike the web controller, which uses Company::getIdForCurrentUser() to enforce the authenticated user’s company context, the API controller does not apply equivalent tenant enforcement during accessory creation.

As a result, a Company A user can inject persistent accessory records into Company B. The injected records are then visible to Company B users as legitimate Company B inventory records. This breaks the integrity of company-scoped inventory data and represents a tenant isolation failure in the accessory creation flow.

Patches

Patched in https://github.com/grokability/snipe-it/commit/dc8cbf4786bb38b260b4ae1723ec9e7f81d82fe5

CVSS v3
8.5
EG Score
8.5(low)
EPSS
KEV
Not listed

Published

June 23, 2026

Last Modified

June 23, 2026

Vendor Advisories for CVE-2026-54329(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 15× in last 7d / 29× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 22:26 UTCEG score recompute
  2. 2026-07-06 11:32 UTCEG score recompute
  3. 2026-07-06 00:37 UTCEG score recompute
  4. 2026-07-05 13:43 UTCEG score recompute
  5. 2026-07-05 02:49 UTCEG score recompute
  6. 2026-07-04 15:55 UTCEG score recompute
  7. 2026-07-04 05:02 UTCEG score recompute
  8. 2026-07-03 17:57 UTCEG score recompute
  9. 2026-07-03 07:00 UTCEG score recompute
  10. 2026-07-02 19:58 UTCEG score recompute
  11. 2026-07-02 09:04 UTCEG score recompute
  12. 2026-07-01 22:07 UTCEG score recompute
  13. 2026-07-01 11:05 UTCEG score recompute
  14. 2026-07-01 00:11 UTCEG score recompute
  15. 2026-06-30 13:16 UTCEG score recompute
  16. 2026-06-30 02:20 UTCEG score recompute
  17. 2026-06-29 15:26 UTCEG score recompute
  18. 2026-06-29 04:30 UTCEG score recompute
  19. 2026-06-28 17:35 UTCEG score recompute
  20. 2026-06-28 06:39 UTCEG score recompute
  21. 2026-06-27 19:45 UTCEG score recompute
  22. 2026-06-27 08:52 UTCEG score recompute
  23. 2026-06-26 21:58 UTCEG score recompute
  24. 2026-06-26 11:04 UTCEG score recompute
  25. 2026-06-25 19:07 UTCEG score recompute
Show 4 more
  1. 2026-06-25 08:13 UTCEG score recompute
  2. 2026-06-24 21:19 UTCEG score recompute
  3. 2026-06-24 10:25 UTCEG score recompute
  4. 2026-06-23 23:30 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-54329?
CVE-2026-54329 is a high vulnerability published on June 23, 2026. Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection Impact A cross-tenant data injection vulnerability was identified in the Snipe-IT Accessories API when Full Multiple Companies Support (FMCS) is enabled. A low-privileged authenticated user belonging to one company can create an accessory…
When was CVE-2026-54329 disclosed?
CVE-2026-54329 was first published in the National Vulnerability Database on June 23, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-54329?
CVE-2026-54329 has a CVSS v4.0 base score of 8.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-54329?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-54329, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-54329

Explore →

Is Your Infrastructure Affected by CVE-2026-54329?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.