Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-48492

CVE-2026-48492: Snipe-IT Auth Bypass Vulnerability

CVE-2026-48492 is an authorization bypass vulnerability in Snipe-IT that allows any authenticated user to access sensitive account data. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-48492 Overview

CVE-2026-48492 is a missing authorization vulnerability [CWE-862] in Snipe-IT, an open-source IT asset and license management system. The flaw affects the GET /api/v1/{object}/selectlist API endpoint in versions prior to 8.6.1. Any authenticated user can query the endpoint using only a web session cookie, regardless of assigned permissions. The endpoint returns a paginated list of all user accounts, exposing usernames, display names, employee numbers, and user IDs. When Full Multiple Company Support (FMCS) is disabled, the disclosure spans every active account in the system. When FMCS is enabled, disclosure is limited to the user's company. Version 8.6.1 contains the patch.

Critical Impact

Any low-privileged authenticated user can enumerate user account details across the Snipe-IT instance without an API token or elevated role.

Affected Products

  • Snipe-IT versions prior to 8.6.1
  • Snipe-IT AccessoriesController selectlist endpoint
  • Snipe-IT AssetsController selectlist endpoint

Discovery Timeline

  • 2026-07-08 - CVE-2026-48492 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-48492

Vulnerability Analysis

Snipe-IT exposes selectlist endpoints under /api/v1/{object}/selectlist to power dropdown widgets in the web interface. These endpoints return paginated identity metadata used to populate selection controls. The controllers backing these routes did not invoke an authorization gate before returning results.

Any authenticated user, including those assigned minimum permissions, could reach the endpoint with a valid session cookie. The response includes usernames, display names, employee numbers, and internal user IDs. Attackers can use this data for reconnaissance, credential-stuffing target lists, or social engineering.

Root Cause

The controllers responsible for selectlist responses lacked a call to Laravel's authorize() method. Without the gate, permission checks defined elsewhere in the application were never evaluated. The classification maps to [CWE-862] Missing Authorization.

Attack Vector

Exploitation requires only network access to the Snipe-IT web interface and a valid authenticated session. An attacker with any role sends a GET request to /api/v1/users/selectlist (or other object variants) using the browser session cookie. The server returns paginated user records without checking permissions.

php
     */
    public function selectlist(Request $request)
    {
+        $this->authorize('view.selectlists');

        $accessories = Accessory::select([
            'accessories.id',

Source: GitHub Commit 4f943d4

The patch adds $this->authorize('view.selectlists') at the top of each controller method, forcing Laravel's policy layer to validate the caller's permissions before returning data. An equivalent gate is applied in AssetsController::selectlist.

Detection Methods for CVE-2026-48492

Indicators of Compromise

  • Unusual volume of GET /api/v1/*/selectlist requests originating from a single authenticated session
  • Requests to selectlist endpoints from low-privileged accounts that would not normally use the admin UI dropdowns
  • Web server logs showing pagination iteration (?page=1, ?page=2, etc.) against selectlist routes

Detection Strategies

  • Review Laravel application logs and reverse-proxy access logs for repeated calls to /api/v1/{object}/selectlist prior to upgrading to 8.6.1
  • Correlate session identifiers making selectlist requests with the assigned role of the user to identify permission mismatches
  • Alert on outbound API responses whose payload sizes indicate bulk user enumeration

Monitoring Recommendations

  • Enable request-level auditing on the Snipe-IT web tier and forward logs to a centralized log platform for retention and search
  • Monitor for authenticated sessions issuing high-frequency, low-latency API calls consistent with scraping behavior
  • Track new or dormant accounts that suddenly query API endpoints outside their normal usage pattern

How to Mitigate CVE-2026-48492

Immediate Actions Required

  • Upgrade Snipe-IT to version 8.6.1 or later, which introduces the view.selectlists authorization gate
  • Rotate API tokens and force session invalidation for accounts suspected of enumerating user data
  • Audit user account and role assignments to remove unnecessary low-privileged accounts with API access

Patch Information

The fix is delivered in Snipe-IT 8.6.1 via commit 4f943d4a7ab8e53f3d9e32770602d1118bab005f. The commit adds $this->authorize('view.selectlists') to each selectlist controller method, including AccessoriesController and AssetsController. See the GitHub Security Advisory GHSA-f3c5-6cw8-fg57 for the vendor writeup.

Workarounds

  • Restrict network access to the Snipe-IT interface to trusted management networks or VPN users until the patch is applied
  • Enable Full Multiple Company Support (FMCS) to limit exposure scope to the user's own company rather than the entire instance
  • Apply a reverse-proxy rule that blocks or rate-limits requests to /api/v1/*/selectlist for non-administrator sessions
bash
# Example nginx rule to block selectlist endpoints at the proxy until patched
location ~ ^/api/v1/[^/]+/selectlist$ {
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.