Authorization Bypass in Snipe-IT IT Asset Management System
CVE-2026-48492
4.9MEDIUM
What is CVE-2026-48492?
The Snipe-IT IT asset management system contains a significant flaw in its GET /api/v1/{object}/selectlist API endpoint prior to version 8.6.1, which lacks an adequate authorization check. This allows any authenticated user to access a paginated list of all user accounts without needing elevated permissions or an API token. As a result, sensitive information such as usernames, display names, employee numbers, and user IDs could be exposed. This vulnerability poses a risk to organizations, especially if FMCS is disabled, as it facilitates the unauthorized retrieval of user data across the system.
Affected Version(s)
snipe-it < 8.5.1
