CVE-2026-25811
Insecure Tenant ID Validation in PlaciPy 1.0.0 Enables Data Exposure
Publication date: 2026-02-09
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| prasklatechnology | placipy | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive data belonging to other tenants within the PlaciPy system.
As a result, confidential information could be exposed or manipulated by unauthorized users, potentially causing data breaches, loss of privacy, and damage to trust between tenants.
Can you explain this vulnerability to me?
The vulnerability in PlaciPy version 1.0.0 arises because the application determines the tenant identifier solely based on the email domain provided by the user, without verifying whether the user actually owns or is authorized to use that domain.
This lack of validation allows an attacker to impersonate another tenant by simply using an email address with that tenant's domain, leading to unauthorized cross-tenant data access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know