Skip to main content

Snipe-IT CVE-2026-48492

MEDIUM
Missing Authorization (CWE-862)
2026-06-23 https://github.com/grokability/snipe-it GHSA-f3c5-6cw8-fg57
4.9
CVSS 4.0 · Vendor: https://github.com/grokability/snipe-it
Share

Severity by source

Vendor (https://github.com/grokability/snipe-it) PRIMARY
4.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-accessible endpoint requiring only a valid authenticated session (PR:L, AC:L); impact limited to partial confidentiality disclosure of user directory data with no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/grokability/snipe-it).

CVSS VectorVendor: https://github.com/grokability/snipe-it

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 08, 2026 - 22:22 NVD
4.9 (MEDIUM)
Source Code Evidence Fetched
Jun 23, 2026 - 22:48 vuln.today
Analysis Generated
Jun 23, 2026 - 22:48 vuln.today

DescriptionCVE.org

Impact

The GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated permissions are required. This exposes usernames, display names, employee numbers, and user IDs for every active account in the system if FMCS is not enabled, and within the company they belong to if FMCS is enabled.

What an attacker can do with a valid login and zero permissions:

  • Enumerate all active user accounts by paginating through the endpoint
  • Harvest usernames for credential stuffing or password spray attacks
  • Collect employee numbers and full names for social engineering
  • Perform indirect email enumeration via the search parameter
  • Map user IDs for use in further enumeration against other endpoints

This vulnerability is exploitable only by users who have a working login to the Snipe-IT system.

Patches

https://github.com/grokability/snipe-it/commit/4f943d4a7ab8e53f3d9e32770602d1118bab005f

AnalysisAI

{object}/selectlist API endpoints allows any authenticated user-regardless of permissions-to enumerate the full user directory, assets, accessories, consumables, and licenses using only a valid session cookie. Affected versions prior to 8.5.1 expose usernames, display names, employee numbers, and user IDs for all active accounts, providing an ideal launchpad for credential stuffing, password spraying, and social engineering. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain any valid Snipe-IT login credential
Delivery
Authenticate via web UI to acquire session cookie
Exploit
Issue GET /api/v1/users/selectlist with pagination parameters
Execution
Iterate pages to harvest full user directory
Persist
Extract usernames, employee IDs, and display names
Impact
Use harvested data for credential stuffing or social engineering

Vulnerability AssessmentAI

Exploitation Exploitation requires exactly one prerequisite: a valid authenticated session to the Snipe-IT instance, obtainable by logging in with any account regardless of assigned role or permissions-no API token, no administrative rights, and no special configuration flags are needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector was provided in the input data, so risk signals are independently assessed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with any valid Snipe-IT account-including a newly created or compromised low-privilege employee account-sends paginated GET requests to /api/v1/users/selectlist using only their browser session cookie, iterating through pages to collect all active usernames, display names, and employee numbers in the system. The harvested employee list is then used to construct a targeted password spray attack against the organization's VPN or identity provider. …
Remediation Upgrade to Snipe-IT version 8.5.1 or later, which adds the view.selectlists authorization gate to all affected selectlist controller methods as documented in the patch commit https://github.com/grokability/snipe-it/commit/4f943d4a7ab8e53f3d9e32770602d1118bab005f. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48492 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy