CVE-2026-42562
Authenticated Privilege Escalation in Plainpad
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| alextselegidis | plainpad | to 1.1.1 (exc) |
| alextselegidis | plainpad | 1.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42562 is a privilege escalation vulnerability in Plainpad, a self-hosted note-taking application. Before version 1.1.1, any authenticated user with low privileges could escalate their privileges to administrator by submitting "admin=true" in a PUT request to the endpoint /api.php/v1/users/{id}. This happens because the endpoint directly accepts and persists the admin attribute from user input without proper authorization checks. As a result, a non-admin user could grant themselves admin rights and immediately access admin-only routes.
How can this vulnerability impact me? :
This vulnerability allows an attacker who has any authenticated access to the Plainpad application to escalate their privileges to administrator without authorization. This means the attacker can gain full administrative capabilities, potentially compromising the confidentiality, integrity, and availability of the system. They could access sensitive data, modify or delete content, and perform administrative actions that should be restricted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized privilege escalation attempts where a low-privilege authenticated user submits a PUT request to the endpoint /api.php/v1/users/{id} with the parameter admin=true.
To detect such attempts, you can analyze your web server or application logs for PUT requests to the user update API containing the admin=true parameter.
Example commands to search logs for suspicious requests might include:
- Using grep on access logs: grep 'PUT /api.php/v1/users/' /path/to/access.log | grep 'admin=true'
- Using jq to parse JSON logs (if logs are in JSON format): jq 'select(.request_method=="PUT" and .request_uri|test("/api.php/v1/users/")) | select(.request_body|test("admin=true"))' /path/to/log.json
Additionally, monitoring for unexpected changes in user roles or sudden appearance of new admin accounts can help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Plainpad to version 1.1.1 or later, where the issue has been patched.
The patch ensures that only existing administrator users can modify the admin status of other users, preventing low-privilege users from escalating their privileges.
If upgrading immediately is not possible, restrict access to the vulnerable API endpoint and monitor for suspicious activity as a temporary measure.
Review user accounts for any unauthorized admin privileges and revoke them if found.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a low-privilege authenticated user to escalate their privileges to administrator, granting full administrative capabilities. This can lead to unauthorized access to sensitive data and administrative functions, potentially compromising system confidentiality and integrity.
Such unauthorized privilege escalation can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.