2 matches found
CVE-2026-48492
CVE-2026-48492 affects Snipe-IT (IT asset/license management). Prior to version 8.6.1, the GET /api/v1/{object}/selectlist endpoint lacked an authorization check, allowing any logged-in user (with a web session cookie and no API token) to enumerate all user accounts and retrieve usernames, displa...
Snipe-IT's selectlist visibility is too permissive
Impact The GET /api/v1/object/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated permissions are required. This...