Description
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims (role and scope) without enforcing server-side role verification.
Published: 2026-02-09
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the admin authorization middleware trusts client‑controlled JWT claims (role and scope) without enforcing server‑side role verification. This flaw allows an attacker to manipulate JWT claims to assume administrative privileges, thereby enabling unauthorized configuration changes, data exposure, or further exploitation of the system. The weakness is classified as CWE‑863, representing unauthorized modification of a privileged attribute.

Affected Systems

Affected systems are Praskla‑Technology's assessment‑placipy application, specifically version 1.0.0. Users running this exact version without the fix are vulnerable; later versions or patches that enforce role verification are not listed.

Risk and Exploitability

The CVSS score of 9.3 indicates a high impact vulnerability. Although the EPSS score is less than 1%, indicating a low immediate exploitation probability, the lack of server‑side role checks means that a crafted JWT can be created easily by an attacker with network or application access. The vulnerability is not currently catalogued in the CISA KEV list, but its severity and the simplicity of the attack vector warrant urgent remediation.

Generated by OpenCVE AI on April 17, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PlaciPy to a version that implements server‑side role verification for JWT claims.
  • If an update is unavailable, modify the authentication middleware to enforce role hierarchy and reject client‑supplied role and scope claims that exceed the authenticated user’s privileges.
  • Restrict the issuance or acceptance of JWTs to trusted sources; remove the ability for clients to set role or scope claims through query parameters or headers.

Generated by OpenCVE AI on April 17, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Prasklatechnology
Prasklatechnology placipy
CPEs cpe:2.3:a:prasklatechnology:placipy:1.0.0:*:*:*:*:*:*:*
Vendors & Products Prasklatechnology
Prasklatechnology placipy
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Praskla-technology
Praskla-technology assessment-placipy
Vendors & Products Praskla-technology
Praskla-technology assessment-placipy

Mon, 09 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims (role and scope) without enforcing server-side role verification.
Title PlaciPy Admin Privilege Escalation via Trusted JWT Claims
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Praskla-technology Assessment-placipy
Prasklatechnology Placipy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T15:58:19.739Z

Reserved: 2026-02-06T21:08:39.128Z

Link: CVE-2026-25875

cve-icon Vulnrichment

Updated: 2026-02-10T15:39:35.050Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T22:16:03.133

Modified: 2026-02-11T19:42:50.187

Link: CVE-2026-25875

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:15:27Z

Weaknesses