CVE-2026-48492: Snipe-IT's selectlist visibility is too permissive

June 23, 2026

The GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated permissions are required. This exposes usernames, display names, employee numbers, and user IDs for every active account in the system if FMCS is not enabled, and within the company they belong to if FMCS is enabled.

References

github.com/advisories/GHSA-f3c5-6cw8-fg57
github.com/grokability/snipe-it/commit/4f943d4a7ab8e53f3d9e32770602d1118bab005f
github.com/grokability/snipe-it/security/advisories/GHSA-f3c5-6cw8-fg57
nvd.nist.gov/vuln/detail/CVE-2026-48492

Code Behaviors & Features

Detect and mitigate CVE-2026-48492 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →