CVE-2026-42185
Privilege Escalation in People Application
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| suitemumerique | people | 1.23.1 |
| suitemumerique | people | to 1.25.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the People application, which manages users, teams, and permissions within La Suite. Before version 1.25.0, an attacker with the Administrator role on a mail domain could send a specially crafted invitation request to promote any existing user, even those without current domain access, to the Owner role. This promotion happens immediately upon a single authenticated HTTP request and does not require any acceptance from the targeted user.
How can this vulnerability impact me? :
The vulnerability allows an attacker with Administrator privileges on a mail domain to escalate privileges by promoting any user to the Owner role without consent. This results in the attacker or a chosen user gaining full ownership of the domain, potentially leading to unauthorized control over domain resources and permissions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the People application to version 1.25.0 or later, where the issue has been patched.
Additionally, review and restrict Administrator role assignments on mail domains to trusted users only, as the exploit requires an authenticated Administrator.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker with Administrator privileges on a mail domain to escalate any existing user to the Owner role without consent, granting full domain ownership immediately. This unauthorized privilege escalation could lead to improper access control and potential misuse or exposure of sensitive data.
Such unauthorized access and control over user roles and domain ownership may violate compliance requirements in standards like GDPR and HIPAA, which mandate strict access controls and protection of personal and sensitive information.
However, the provided context does not explicitly discuss the impact on compliance with these or other regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious authenticated HTTP requests that create invitations with elevated roles, especially those promoting users to the Owner role without proper authorization.
Specifically, detection involves inspecting requests to the MailDomainInvitationViewset.create() API endpoint for crafted invitation payloads that assign Owner roles to existing users.
Suggested commands include using network traffic inspection tools like curl or HTTP request logging to identify such requests. For example, you can use curl to simulate or detect suspicious requests:
- curl -v -X POST https://your-people-instance/api/maildomaininvitations/ -H 'Authorization: Bearer <token>' -d '{"email": "[email protected]", "role": "OWNER"}'
Additionally, review application logs for invitation creation events where the role assigned is Owner and verify if the requester had sufficient privileges to grant that role.