CVE-2026-48492

Name of the Vulnerable Software and Affected Versions Snipe-IT (affected versions not specified)

Description An improper access control issue exists in the 'GET /api/v1/{object}/selectlist' API endpoint due to a missing authorization check. Any authenticated user, regardless of their assigned permissions, can use their web session cookie to retrieve a paginated list of all user accounts. This exposure includes usernames, display names, employee numbers, and user IDs for every active account in the system when FMCS (Field Management Control System) is disabled, or for accounts within the user's own company when FMCS is enabled. An attacker with valid login credentials can enumerate active accounts, harvest usernames for credential stuffing or password spray attacks, collect employee numbers and full names for social engineering, perform indirect email enumeration via the search parameter, and map user IDs for further enumeration against other endpoints.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.