PatchSiren cyber security CVE debrief
CVE-2026-48492 grokability CVE debrief
CVE-2026-48492 is a medium-severity vulnerability in Snipe-IT's API endpoint, which lacks an authorization check. This allows any logged-in user to retrieve a paginated list of all user accounts, exposing sensitive information such as usernames, display names, employee numbers, and user IDs. The exposure affects active accounts, and its impact varies depending on whether FMCS is enabled. To mitigate this vulnerability, it is essential to apply the patch in version 8.6.1 or later immediately. Additionally, restricting access to the affected API endpoint and monitoring for suspicious account enumeration attempts can help prevent potential insider threats or account enumeration attacks. It is also crucial to review and update access controls for Snipe-IT API endpoints and conduct a thorough inventory of Snipe-IT installations and user accounts. The CVE record was published on 2026-07-08T22:17:14.870Z and was last modified on 2026-07-10T17:49:57.737Z. The NVD entry is currently Undergoing Analysis.
- Vendor
- grokability
- Product
- snipe-it
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
IT asset and license management teams using Snipe-IT, especially those with user account data, should prioritize patching to version 8.6.1 or later. Security teams monitoring for potential insider threats or account enumeration attacks should also be aware of this vulnerability.
Technical summary
The GET /api/v1/{object}/selectlist API endpoint in Snipe-IT versions prior to 8.6.1 lacks an authorization check. This allows any user with a valid web session cookie to retrieve a paginated list of user accounts without needing elevated permissions or an API token. The exposure includes usernames, display names, employee numbers, and user IDs for active accounts. If FMCS is not enabled, this affects all active accounts in the system. If FMCS is enabled, the exposure is limited to accounts within the company they belong to.
Defensive priority
Apply the patch in version 8.6.1 or later immediately. Restrict access to the affected API endpoint. Monitor for suspicious account enumeration attempts.
Recommended defensive actions
- Apply the patch in version 8.6.1 or later
- Restrict access to the affected API endpoint
- Monitor for suspicious account enumeration attempts
- Review and update access controls for Snipe-IT API endpoints
- Conduct a thorough inventory of Snipe-IT installations and user accounts
Evidence notes
The CVE record was published on 2026-07-08T22:17:14.870Z and was last modified on 2026-07-10T17:49:57.737Z. The NVD entry is currently Undergoing Analysis. Official references include the CVE.org record and the NVD detail page.
Official resources
-
CVE-2026-48492 CVE record
CVE.org
-
CVE-2026-48492 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T22:17:14.870Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.