GHSA-33g4-646g-qwmmMediumCVSS 6.3

Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update

Published
June 23, 2026
Last Modified
June 23, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

The BulkAssetsController::update() method accepts company_id directly from user input without calling Company::getIdForCurrentUser(), the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets across company boundaries, breaking multi-tenancy isolation.

Patches

Patched in https://github.com/grokability/snipe-it/commit/d58fda626e8febfeff4cabbc20ba03edfc411e18

🎯 Affected products1

  • composer/snipe/snipe-it:<= 8.4.1

🔗 References (3)