CVE-2026-48492
Received Received - Intake

Authorization Bypass in Snipe-IT Leads to User Data Exposure

Vulnerability report for CVE-2026-48492, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to version 8.6.1, the GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated permissions are required. This exposes usernames, display names, employee numbers, and user IDs for every active account in the system if FMCS is not enabled, and within the company they belong to if FMCS is enabled. Version 8.6.1 contains a patch.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
snipe-it snipe-it to 8.6.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Snipe-IT, an IT asset/license management system, in versions prior to 8.6.1. The GET /api/v1/{object}/selectlist API endpoint lacks an authorization check, allowing any logged-in user to retrieve a paginated list of all user accounts using only their web session cookie.

No API token or elevated permissions are required to exploit this vulnerability. The exposed information includes usernames, display names, employee numbers, and user IDs for every active account in the system if FMCS is not enabled, or within the user's company if FMCS is enabled.

This issue was fixed in version 8.6.1 by adding the necessary authorization checks.

Impact Analysis

The vulnerability allows any authenticated user to access sensitive user account information without proper authorization.

This exposure can lead to privacy breaches, as usernames, display names, employee numbers, and user IDs are revealed.

Attackers or unauthorized users could use this information for social engineering, phishing attacks, or further exploitation within the system.

Mitigation Strategies

To mitigate this vulnerability, upgrade Snipe-IT to version 8.6.1 or later, which contains a patch that adds the missing authorization check to the GET /api/v1/{object}/selectlist API endpoint.

Compliance Impact

The vulnerability allows any logged-in user to retrieve a paginated list of all user accounts, exposing usernames, display names, employee numbers, and user IDs without requiring elevated permissions or API tokens.

This unauthorized exposure of personal and employee information could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive data.

Since the vulnerability permits access to user data without proper authorization checks, it undermines confidentiality and access control requirements mandated by these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48492. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart