Snipe-IT CVE-2026-48492
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible endpoint requiring only a valid authenticated session (PR:L, AC:L); impact limited to partial confidentiality disclosure of user directory data with no integrity or availability effect.
Primary rating from Vendor (https://github.com/grokability/snipe-it).
CVSS VectorVendor: https://github.com/grokability/snipe-it
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Impact
The GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated permissions are required. This exposes usernames, display names, employee numbers, and user IDs for every active account in the system if FMCS is not enabled, and within the company they belong to if FMCS is enabled.
What an attacker can do with a valid login and zero permissions:
- Enumerate all active user accounts by paginating through the endpoint
- Harvest usernames for credential stuffing or password spray attacks
- Collect employee numbers and full names for social engineering
- Perform indirect email enumeration via the search parameter
- Map user IDs for use in further enumeration against other endpoints
This vulnerability is exploitable only by users who have a working login to the Snipe-IT system.
Patches
https://github.com/grokability/snipe-it/commit/4f943d4a7ab8e53f3d9e32770602d1118bab005f
AnalysisAI
{object}/selectlist API endpoints allows any authenticated user-regardless of permissions-to enumerate the full user directory, assets, accessories, consumables, and licenses using only a valid session cookie. Affected versions prior to 8.5.1 expose usernames, display names, employee numbers, and user IDs for all active accounts, providing an ideal launchpad for credential stuffing, password spraying, and social engineering. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires exactly one prerequisite: a valid authenticated session to the Snipe-IT instance, obtainable by logging in with any account regardless of assigned role or permissions-no API token, no administrative rights, and no special configuration flags are needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector was provided in the input data, so risk signals are independently assessed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with any valid Snipe-IT account-including a newly created or compromised low-privilege employee account-sends paginated GET requests to /api/v1/users/selectlist using only their browser session cookie, iterating through pages to collect all active usernames, display names, and employee numbers in the system. The harvested employee list is then used to construct a targeted password spray attack against the organization's VPN or identity provider. … |
| Remediation | Upgrade to Snipe-IT version 8.5.1 or later, which adds the view.selectlists authorization gate to all affected selectlist controller methods as documented in the patch commit https://github.com/grokability/snipe-it/commit/4f943d4a7ab8e53f3d9e32770602d1118bab005f. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-f3c5-6cw8-fg57