CVE-2025-47226
unknown
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
1.0
Description
Grokability Snipe-IT has incorrect authorization for accessing asset information
Predictions
Exploit likelihood
30%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference (IDOR)
# Exploit Title: Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference (IDOR)
# Google Dork: N/A
# Date: 2025-05-02
# Exploit Author: Sn1p3r-H4ck3r (Siripong Jintung)
# Vendor Homepage: https://snipeitapp.com
# Software Link: https://github.com/grokability/snipe-it
# Version: <= 8.0.4
# Tested on: Ubuntu 22.04 LTS, Apache2 + MySQL + PHP 8.1
# CVE: CVE-2025-47226
# Vulnerability Description:
Snipe-IT <= 8.0.4 contains an Insecure Direct Object Reference (IDOR) vulnerability in the
`/locations/<id>/printassigned` endpoint. This flaw allows an authenticated user from one
department to gain access to asset assignment data belonging to other departments by modifying
the `location_id` in the URL.
# Steps to Reproduce:
1. Authenticate with a low-privileged account assigned to `location_id = 2`.
2. Access the print preview page:
https://<target>/locations/2/printassigned
3. Modify the URL to:
https://<target>/locations/1/printassigned
4. The application will disclose inventory/assignment information for location ID 1,
even if the user should not have access.
# Impact:
- Unauthorized access to internal asset and inventory information.
- Potential for lateral data exposure between departments in the same organization.
- Disclosure of asset IDs, assignees, and location metadata.
# Mitigation:
Update to **Snipe-IT v8.1.0** or higher where access control validation has been corrected.
# References:
- Patch PR: https://github.com/grokability/snipe-it/pull/16672
- CVE Record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47226
- Release Notes: https://github.com/grokability/snipe-it/releases/tag/v8.1.0Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | snipe/snipe-it | <8.1.0 | 8.1.0 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-47226
- https://github.com/grokability/snipe-it/pull/16672
- https://github.com/grokability/snipe-it
- https://github.com/grokability/snipe-it/compare/v8.0.4...v8.1.0
- https://github.com/grokability/snipe-it/releases/tag/v8.1.0
- https://github.com/koyomihack00/CVE-2025-47226/blob/main/PoC/idor-exploit.md
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.