← back
CVE-2025-47226

CVE-2025-47226

CVSS 5 MEDIUMEPSS 1.1%CWE-425
In short

Snipe-IT versions before 8.1.0 allow unauthorized users to view asset information they shouldn't have access to. This is a permission flaw that could expose sensitive inventory details.

Technical detail

CWE-425 (Direct Request) authorization bypass in Snipe-IT <8.1.0 permits unauthenticated or low-privileged users to access asset data via direct API or endpoint requests. The vulnerability stems from insufficient access control checks on asset information endpoints, potentially exposing confidential inventory records without proper role-based restrictions.

Summary generated and translated by AI from the official description.
Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Affected products
snipeitapp · Snipe-IT
public PoCs found2
githubgithub.com/koyomihack00/CVE-2025-472260exploitdbwww.exploit-db.com/exploits/52282unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/grokability/snipe-it/compare/v8.0.4...v8.1.0https://github.com/grokability/snipe-it/pull/16672https://github.com/grokability/snipe-it/releases/tag/v8.1.0https://github.com/koyomihack00/CVE-2025-47226/blob/main/PoC/idor-exploit.md