CVE-2026-42562
Received Received - Intake

Authenticated Privilege Escalation in Plainpad

Vulnerability report for CVE-2026-42562, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-09

Last updated on: 2026-05-09

Assigner: GitHub, Inc.

Description

Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/{id}. The endpoint directly persists the admin attribute from user input, and the escalated account can immediately access admin-only routes. This issue has been patched in version 1.1.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-09
Last Modified
2026-05-09
Generated
2026-07-09
AI Q&A
2026-05-09
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
alextselegidis plainpad to 1.1.1 (exc)
alextselegidis plainpad 1.1.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-42562 is a privilege escalation vulnerability in Plainpad, a self-hosted note-taking application. Before version 1.1.1, any authenticated user with low privileges could escalate their privileges to administrator by submitting "admin=true" in a PUT request to the endpoint /api.php/v1/users/{id}. This happens because the endpoint directly accepts and persists the admin attribute from user input without proper authorization checks. As a result, a non-admin user could grant themselves admin rights and immediately access admin-only routes.

Impact Analysis

This vulnerability allows an attacker who has any authenticated access to the Plainpad application to escalate their privileges to administrator without authorization. This means the attacker can gain full administrative capabilities, potentially compromising the confidentiality, integrity, and availability of the system. They could access sensitive data, modify or delete content, and perform administrative actions that should be restricted.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized privilege escalation attempts where a low-privilege authenticated user submits a PUT request to the endpoint /api.php/v1/users/{id} with the parameter admin=true.

To detect such attempts, you can analyze your web server or application logs for PUT requests to the user update API containing the admin=true parameter.

Example commands to search logs for suspicious requests might include:

  • Using grep on access logs: grep 'PUT /api.php/v1/users/' /path/to/access.log | grep 'admin=true'
  • Using jq to parse JSON logs (if logs are in JSON format): jq 'select(.request_method=="PUT" and .request_uri|test("/api.php/v1/users/")) | select(.request_body|test("admin=true"))' /path/to/log.json

Additionally, monitoring for unexpected changes in user roles or sudden appearance of new admin accounts can help detect exploitation.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Plainpad to version 1.1.1 or later, where the issue has been patched.

The patch ensures that only existing administrator users can modify the admin status of other users, preventing low-privilege users from escalating their privileges.

If upgrading immediately is not possible, restrict access to the vulnerable API endpoint and monitor for suspicious activity as a temporary measure.

Review user accounts for any unauthorized admin privileges and revoke them if found.

Compliance Impact

The vulnerability allows a low-privilege authenticated user to escalate their privileges to administrator, granting full administrative capabilities. This can lead to unauthorized access to sensitive data and administrative functions, potentially compromising system confidentiality and integrity.

Such unauthorized privilege escalation can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42562. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart