Improper access control in snipe-it - CVE-2026-48492
Published: June 9, 2026
Vulnerability identifier: #VU134013
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-48492
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: snipe
Affected software:
snipe-it
snipe-it
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the GET /api/v1/{object}/selectlist API endpoint when handling authenticated requests. A remote user can send a request to retrieve a paginated list of user accounts to disclose sensitive information.
The issue exposes usernames, display names, employee numbers, and user IDs for active accounts. If FMCS is disabled, all active accounts are exposed; if FMCS is enabled, exposure is limited to accounts within the same company.
How to mitigate CVE-2026-48492
Install security update from vendor's website.