CVE-2026-42562

Published: Mag 09, 2026 Last Modified: Mag 09, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 8,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: low

Description

AI Translation Available

Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/{id}. The endpoint directly persists the admin attribute from user input, and the escalated account can immediately access admin-only routes. This issue has been patched in version 1.1.1.

269

Improper Privilege Management

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Gain Privileges Or Assume Identity
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: Medium
View CWE Details
https://github.com/alextselegidis/plainpad/commit/9216a876d…
https://github.com/alextselegidis/plainpad/commit/9216a876d27b22c3d9259551636d8…
https://github.com/alextselegidis/plainpad/issues/138
https://github.com/alextselegidis/plainpad/issues/138
https://github.com/alextselegidis/plainpad/releases/tag/1.1…
https://github.com/alextselegidis/plainpad/releases/tag/1.1.1
https://github.com/alextselegidis/plainpad/security/advisor…
https://github.com/alextselegidis/plainpad/security/advisories/GHSA-pvfv-wvpm-q…