CVE-2026-48492
PHP Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-48492 is a missing authorization vulnerability in Snipe-IT, an open-source IT asset management application, affecting all versions prior to 8.5.1. The flaw allows any authenticated user — regardless of their assigned permissions — to enumerate all user accounts via the GET /api/v1/{object}/selectlist API endpoint using only a valid web session cookie. It was first published by the vendor on May 27, 2026, and added to the GitHub Advisory Database on June 23, 2026. The vulnerability carries a CVSS v4.0 base score of 4.9 (Medium) (GitHub Advisory).

Détails techniques

The root cause is CWE-862 (Missing Authorization): the selectlist() method in multiple API controllers (UsersController, AssetsController, AccessoriesController, ConsumablesController, LicensesController) did not call $this->authorize('view.selectlists') before returning data, meaning no permission gate was enforced (GitHub Advisory, Patch Commit). An attacker with any valid Snipe-IT login can send paginated GET requests to /api/v1/users/selectlist (and analogous endpoints for assets, accessories, consumables, and licenses) using their session cookie — no API token or elevated role is needed. The search query parameter additionally enables indirect email enumeration by filtering results. The fix, applied in commit 4f943d4, adds the view.selectlists authorization gate to all affected controller methods (Patch Commit).

Impact

Successful exploitation exposes usernames, display names, employee numbers, and internal user IDs for every active account in the Snipe-IT instance (or within the attacker's company if Full Multiple Company Support is enabled). There is no integrity or availability impact — the vulnerability is purely a confidentiality issue. However, the harvested data can be leveraged for downstream attacks including credential stuffing, password spraying, spear-phishing, and social engineering campaigns targeting the organization's employees (GitHub Advisory).

Étapes d’exploitation

  1. Obtain a valid Snipe-IT login: Acquire any working username and password for the target Snipe-IT instance — even a low-privilege or newly created account with no assigned permissions is sufficient.
  2. Authenticate and capture session cookie: Log in via the Snipe-IT web interface and capture the resulting session cookie (e.g., snipeit_session) from the browser or an intercepting proxy such as Burp Suite.
  3. Query the selectlist endpoint: Send a GET request to /api/v1/users/selectlist using the session cookie, e.g.:
    GET /api/v1/users/selectlist HTTP/1.1
    Host: <target>
    Cookie: snipeit_session=<session_value>
  4. Paginate through results: Iterate through pages using the offset or page query parameter to retrieve all user records, collecting usernames, display names, employee numbers, and user IDs.
  5. Use search for email enumeration: Supply known email fragments to the search parameter (e.g., /api/v1/users/selectlist?search=@company.com) to confirm or discover email addresses.
  6. Repeat for other object types: Query /api/v1/assets/selectlist, /api/v1/accessories/selectlist, /api/v1/consumables/selectlist, and /api/v1/licenses/selectlist to enumerate additional asset inventory data.
  7. Leverage harvested data: Use collected usernames and employee details for credential stuffing, password spray attacks, or targeted social engineering (GitHub Advisory, Patch Commit).

Indicateurs de compromis

  • Network: Repeated or scripted GET requests to /api/v1/users/selectlist, /api/v1/assets/selectlist, /api/v1/accessories/selectlist, /api/v1/consumables/selectlist, or /api/v1/licenses/selectlist from a single authenticated session, especially with incrementing offset or page parameters.
  • Logs: Web server or application access logs showing high-frequency, paginated requests to selectlist endpoints from a low-privilege user account; requests with search parameters containing email domain fragments (e.g., ?search=@company.com).
  • Behavioral: A user account with no assigned Snipe-IT permissions generating API traffic to enumeration endpoints; unusual access patterns outside of normal business hours from authenticated sessions.

Atténuation et solutions de contournement

Upgrade Snipe-IT to version 8.5.1 or later, which adds the view.selectlists authorization gate to all affected selectlist() controller methods (GitHub Advisory, Patch Commit). There is no documented configuration-based workaround for unpatched versions; the only effective remediation is applying the patch. As an interim measure, administrators should audit active user accounts and restrict Snipe-IT access to only those who require it, reducing the pool of potential internal attackers.

Réactions de la communauté

The vulnerability was reported by security researcher iltosec and disclosed by the Snipe-IT maintainer (snipe) via a GitHub Security Advisory on May 27, 2026. No significant broader media coverage or notable public researcher commentary beyond the advisory itself has been identified at this time (GitHub Security Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté PHP Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-55878HIGH7.8
  • PHP logoPHP
  • cpe:2.3:a:sensiolabs:symfony
NonOuiJul 08, 2026
CVE-2026-55877MEDIUM6.1
  • PHP logoPHP
  • composer://symfony/ux-icons
NonOuiJul 08, 2026
CVE-2026-48492MEDIUM4.9
  • PHP logoPHP
  • snipe/snipe-it
NonOuiJul 08, 2026
GHSA-gq4g-fpc9-vjfqLOW2.9
  • PHP logoPHP
  • web-auth/webauthn-lib
NonOuiJul 07, 2026
CVE-2026-55542LOW1.3
  • PHP logoPHP
  • snipe/snipe-it
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités