CVE-2026-42562 PUBLISHED

Plainpad: Privilege Escalation via Writable Admin Field in Profile Update (Access Control)

Assigner: GitHub_M
Reserved: 28.04.2026 Published: 09.05.2026 Updated: 09.05.2026

Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/{id}. The endpoint directly persists the admin attribute from user input, and the escalated account can immediately access admin-only routes. This issue has been patched in version 1.1.1.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS Score: 8.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	alextselegidis
Product	plainpad
Versions	Version < 1.1.1 is affected

References

Problem Types

CWE-269: Improper Privilege Management CWE