Description
Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/{id}. The endpoint directly persists the admin attribute from user input, and the escalated account can immediately access admin-only routes. This issue has been patched in version 1.1.1.
Published: 2026-05-09
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Plainpad is a self‑hosted note‑taking application that, before version 1.1.1, allowed a normal authenticated user to elevate to administrator by sending admin=true in the PUT /api.php/v1/users/{id} request. The endpoint stores the supplied admin flag directly, granting the upgraded account immediate access to all admin‑only routes. This flaw corresponds to CWE-269 and results in a high‑severity privilege escalation that lets an attacker gain full control over the application and its data.

Affected Systems

Plainpad, developed by alextselegidis, is affected in all releases prior to 1.1.1. The vulnerability was fixed in version 1.1.1.

Risk and Exploitability

The CVSS score of 8.3 classifies the issue as high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user session; once logged in, the attacker can trivially set the admin flag and immediately obtain administrative privileges with no further conditions.

Generated by OpenCVE AI on May 9, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Plainpad to version 1.1.1 or later.
  • If an update is not feasible, disable the ability to modify the admin flag via the API or restrict that capability to privileged‑only endpoints.
  • Monitor account changes for unexpected privilege elevations and enforce least privilege on user‑management routes.

Generated by OpenCVE AI on May 9, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/{id}. The endpoint directly persists the admin attribute from user input, and the escalated account can immediately access admin-only routes. This issue has been patched in version 1.1.1.
Title Plainpad: Privilege Escalation via Writable Admin Field in Profile Update (Access Control)
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T19:09:48.862Z

Reserved: 2026-04-28T16:56:50.192Z

Link: CVE-2026-42562

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:28.933

Modified: 2026-05-09T20:16:28.933

Link: CVE-2026-42562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T20:30:41Z

Weaknesses