Authorization Bypass in Snipe-IT IT Asset Management System
CVE-2026-48492

4.9MEDIUM

Key Information:

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-48492?

The Snipe-IT IT asset management system contains a significant flaw in its GET /api/v1/{object}/selectlist API endpoint prior to version 8.6.1, which lacks an adequate authorization check. This allows any authenticated user to access a paginated list of all user accounts without needing elevated permissions or an API token. As a result, sensitive information such as usernames, display names, employee numbers, and user IDs could be exposed. This vulnerability poses a risk to organizations, especially if FMCS is disabled, as it facilitates the unauthorized retrieval of user data across the system.

Affected Version(s)

snipe-it < 8.5.1

References

CVSS V4

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.