Description
People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user (including users with no current domain access) to the Owner role. The exploit requires a single authenticated HTTP request and grants full domain ownership immediately, without any acceptance step from the target. This issue has been patched in version 1.25.0.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

People is a user and team management application used in La Suite. Prior to version 1.25.0 a user who holds the Administrator role on a mail domain can send a specially crafted invitation request that promotes any existing user—whether or not they currently have access—to the Owner role. Granting the Owner role provides full domain ownership without requiring the target to accept the invitation. This flaw is a classic privilege escalation issue as described in CWE‑269.

Affected Systems

The affected product is People by suitenumerique. All releases prior to v1.25.0 are vulnerable. Users running these versions with an Administrator role on any mail domain are at risk.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a single authenticated HTTP request from an account that has the Administrator role on a mail domain. Once the request is made, the target user is instantly promoted to Owner, granting them unrestricted control over the domain without any acceptance step. The exploit path is straightforward and requires no additional conditions.

Generated by OpenCVE AI on May 8, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade People to v1.25.0 or later.
  • If upgrading is not immediately possible, revoke or restrict Administrator privileges on mail domains until a patch can be applied.
  • Continuously monitor domain ownership changes and audit logs for unauthorized promotions.

Generated by OpenCVE AI on May 8, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user (including users with no current domain access) to the Owner role. The exploit requires a single authenticated HTTP request and grants full domain ownership immediately, without any acceptance step from the target. This issue has been patched in version 1.25.0.
Title People: Privilege Escalation via Missing Role Ceiling in Mail Domain Invitation
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T19:53:16.358Z

Reserved: 2026-04-25T01:53:21.583Z

Link: CVE-2026-42185

cve-icon Vulnrichment

Updated: 2026-05-08T19:53:11.320Z

cve-icon NVD

Status : Received

Published: 2026-05-08T20:16:31.290

Modified: 2026-05-08T20:16:31.290

Link: CVE-2026-42185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T20:30:16Z

Weaknesses