CVE-2026-48492 in Snipe-ITinfo

Summary

by MITRE • 07/09/2026

Snipe-IT is an IT asset/license management system. Prior to version 8.6.1, the GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated permissions are required. This exposes usernames, display names, employee numbers, and user IDs for every active account in the system if FMCS is not enabled, and within the company they belong to if FMCS is enabled. Version 8.6.1 contains a patch.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability represents a critical authorization bypass flaw in the Snipe-IT asset management platform that allows unauthorized users to enumerate sensitive user information through a misconfigured API endpoint. The issue affects versions prior to 8.6.1 where the GET /api/v1/{object}/selectlist endpoint fails to properly validate user permissions before returning user account data. This represents a clear violation of the principle of least privilege and demonstrates a fundamental breakdown in access control mechanisms within the application's authentication framework. The flaw specifically impacts the selectlist API endpoint which is designed to provide dropdown options for various system objects, but instead becomes a vector for comprehensive user enumeration.

The technical implementation of this vulnerability stems from the absence of proper authorization checks within the API layer, allowing any authenticated user to bypass normal permission controls and access user account information through simple HTTP GET requests. This flaw operates at the application logic level rather than being a network-level issue, making it particularly concerning as it requires no special tools or advanced techniques beyond standard web browsing capabilities. The vulnerability affects all users who can establish a valid session with the system, meaning that even users with minimal permissions can exploit this weakness to gather intelligence about other accounts within the organization.

The operational impact of this vulnerability extends beyond simple information disclosure to potentially enable more sophisticated attacks such as credential stuffing, targeted phishing campaigns, or social engineering attempts. When FMCS (First Name, Middle Name, and Surname) is disabled, the exposure includes usernames, display names, employee numbers, and user IDs which can be used to build comprehensive profiles of organizational personnel. Even when FMCS is enabled, the vulnerability still exposes usernames and associated company affiliations, providing attackers with valuable information for planning targeted attacks against specific users within the organization. This information can be particularly damaging in environments where user accounts are directly tied to physical security systems or sensitive business processes.

The vulnerability aligns with CWE-284 which specifically addresses improper access control issues, demonstrating a clear failure in implementing proper authorization checks for API endpoints. From an ATT&CK framework perspective, this represents a privilege escalation technique that allows adversaries to gather intelligence and establish persistence by enumerating user accounts within the system. The lack of authentication verification at the API endpoint level creates a persistent risk that can be exploited repeatedly without requiring additional credentials or elevated privileges. Organizations using Snipe-IT versions prior to 8.6.1 are particularly vulnerable as this flaw exists in the core application logic and affects all authenticated users regardless of their assigned roles or permissions.

Organizations should implement immediate mitigations including upgrading to version 8.6.1 or later which contains the necessary authorization checks for the selectlist API endpoint. Security teams should also conduct comprehensive audits of other API endpoints to ensure that similar authorization bypass vulnerabilities do not exist elsewhere in the application. Network-level monitoring should be enhanced to detect unusual patterns of API access that might indicate enumeration attempts, and regular penetration testing should be performed to identify potential authorization gaps. Additionally, implementing proper rate limiting on API endpoints can help prevent automated enumeration attacks while maintaining legitimate functionality for authorized users.

Responsible

GitHub M

Reservation

05/21/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!