PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48492 grokability CVE debrief

CVE-2026-48492 is a medium-severity vulnerability in Snipe-IT's API endpoint, which lacks an authorization check. This allows any logged-in user to retrieve a paginated list of all user accounts, exposing sensitive information such as usernames, display names, employee numbers, and user IDs. The exposure affects active accounts, and its impact varies depending on whether FMCS is enabled. To mitigate this vulnerability, it is essential to apply the patch in version 8.6.1 or later immediately. Additionally, restricting access to the affected API endpoint and monitoring for suspicious account enumeration attempts can help prevent potential insider threats or account enumeration attacks. It is also crucial to review and update access controls for Snipe-IT API endpoints and conduct a thorough inventory of Snipe-IT installations and user accounts. The CVE record was published on 2026-07-08T22:17:14.870Z and was last modified on 2026-07-10T17:49:57.737Z. The NVD entry is currently Undergoing Analysis.

Vendor
grokability
Product
snipe-it
CVSS
MEDIUM 4.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

IT asset and license management teams using Snipe-IT, especially those with user account data, should prioritize patching to version 8.6.1 or later. Security teams monitoring for potential insider threats or account enumeration attacks should also be aware of this vulnerability.

Technical summary

The GET /api/v1/{object}/selectlist API endpoint in Snipe-IT versions prior to 8.6.1 lacks an authorization check. This allows any user with a valid web session cookie to retrieve a paginated list of user accounts without needing elevated permissions or an API token. The exposure includes usernames, display names, employee numbers, and user IDs for active accounts. If FMCS is not enabled, this affects all active accounts in the system. If FMCS is enabled, the exposure is limited to accounts within the company they belong to.

Defensive priority

Apply the patch in version 8.6.1 or later immediately. Restrict access to the affected API endpoint. Monitor for suspicious account enumeration attempts.

Recommended defensive actions

  • Apply the patch in version 8.6.1 or later
  • Restrict access to the affected API endpoint
  • Monitor for suspicious account enumeration attempts
  • Review and update access controls for Snipe-IT API endpoints
  • Conduct a thorough inventory of Snipe-IT installations and user accounts

Evidence notes

The CVE record was published on 2026-07-08T22:17:14.870Z and was last modified on 2026-07-10T17:49:57.737Z. The NVD entry is currently Undergoing Analysis. Official references include the CVE.org record and the NVD detail page.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T22:17:14.870Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.