
PEACH
Un cadre d’isolation des locataires
CVE-2026-48492 is a missing authorization vulnerability in Snipe-IT, an open-source IT asset management application, affecting all versions prior to 8.5.1. The flaw allows any authenticated user — regardless of their assigned permissions — to enumerate all user accounts via the GET /api/v1/{object}/selectlist API endpoint using only a valid web session cookie. It was first published by the vendor on May 27, 2026, and added to the GitHub Advisory Database on June 23, 2026. The vulnerability carries a CVSS v4.0 base score of 4.9 (Medium) (GitHub Advisory).
The root cause is CWE-862 (Missing Authorization): the selectlist() method in multiple API controllers (UsersController, AssetsController, AccessoriesController, ConsumablesController, LicensesController) did not call $this->authorize('view.selectlists') before returning data, meaning no permission gate was enforced (GitHub Advisory, Patch Commit). An attacker with any valid Snipe-IT login can send paginated GET requests to /api/v1/users/selectlist (and analogous endpoints for assets, accessories, consumables, and licenses) using their session cookie — no API token or elevated role is needed. The search query parameter additionally enables indirect email enumeration by filtering results. The fix, applied in commit 4f943d4, adds the view.selectlists authorization gate to all affected controller methods (Patch Commit).
Successful exploitation exposes usernames, display names, employee numbers, and internal user IDs for every active account in the Snipe-IT instance (or within the attacker's company if Full Multiple Company Support is enabled). There is no integrity or availability impact — the vulnerability is purely a confidentiality issue. However, the harvested data can be leveraged for downstream attacks including credential stuffing, password spraying, spear-phishing, and social engineering campaigns targeting the organization's employees (GitHub Advisory).
snipeit_session) from the browser or an intercepting proxy such as Burp Suite./api/v1/users/selectlist using the session cookie, e.g.:GET /api/v1/users/selectlist HTTP/1.1
Host: <target>
Cookie: snipeit_session=<session_value>offset or page query parameter to retrieve all user records, collecting usernames, display names, employee numbers, and user IDs.search parameter (e.g., /api/v1/users/selectlist?search=@company.com) to confirm or discover email addresses./api/v1/assets/selectlist, /api/v1/accessories/selectlist, /api/v1/consumables/selectlist, and /api/v1/licenses/selectlist to enumerate additional asset inventory data./api/v1/users/selectlist, /api/v1/assets/selectlist, /api/v1/accessories/selectlist, /api/v1/consumables/selectlist, or /api/v1/licenses/selectlist from a single authenticated session, especially with incrementing offset or page parameters.selectlist endpoints from a low-privilege user account; requests with search parameters containing email domain fragments (e.g., ?search=@company.com).Upgrade Snipe-IT to version 8.5.1 or later, which adds the view.selectlists authorization gate to all affected selectlist() controller methods (GitHub Advisory, Patch Commit). There is no documented configuration-based workaround for unpatched versions; the only effective remediation is applying the patch. As an interim measure, administrators should audit active user accounts and restrict Snipe-IT access to only those who require it, reducing the pool of potential internal attackers.
The vulnerability was reported by security researcher iltosec and disclosed by the Snipe-IT maintainer (snipe) via a GitHub Security Advisory on May 27, 2026. No significant broader media coverage or notable public researcher commentary beyond the advisory itself has been identified at this time (GitHub Security Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."