Description
Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/{id}. The endpoint directly persists the admin attribute from user input, and the escalated account can immediately access admin-only routes. This issue has been patched in version 1.1.1.
Published: 2026-05-09
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Plainpad is a self‑hosted note‑taking application that, before version 1.1.1, allowed a normal authenticated user to elevate to administrator by sending admin=true in the PUT /api.php/v1/users/{id} request. The endpoint stores the supplied admin flag directly, granting the upgraded account immediate access to all admin‑only routes. This flaw corresponds to CWE-269 and results in a high‑severity privilege escalation that lets an attacker gain full control over the application and its data.

Affected Systems

Plainpad, developed by alextselegidis, is affected in all releases prior to 1.1.1. The vulnerability was fixed in version 1.1.1.

Risk and Exploitability

The CVSS score of 8.3 classifies the issue as high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user session; once logged in, the attacker can trivially set the admin flag and immediately obtain administrative privileges with no further conditions.

Generated by OpenCVE AI on May 9, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Plainpad to version 1.1.1 or later.
  • If an update is not feasible, disable the ability to modify the admin flag via the API or restrict that capability to privileged‑only endpoints.
  • Monitor account changes for unexpected privilege elevations and enforce least privilege on user‑management routes.

Generated by OpenCVE AI on May 9, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Alextselegidis
Alextselegidis plainpad
Vendors & Products Alextselegidis
Alextselegidis plainpad

Sat, 09 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/{id}. The endpoint directly persists the admin attribute from user input, and the escalated account can immediately access admin-only routes. This issue has been patched in version 1.1.1.
Title Plainpad: Privilege Escalation via Writable Admin Field in Profile Update (Access Control)
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Alextselegidis Plainpad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T14:50:20.630Z

Reserved: 2026-04-28T16:56:50.192Z

Link: CVE-2026-42562

cve-icon Vulnrichment

Updated: 2026-05-11T14:50:16.203Z

cve-icon NVD

Status : Deferred

Published: 2026-05-09T20:16:28.933

Modified: 2026-05-13T15:23:57.230

Link: CVE-2026-42562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:24:27Z

Weaknesses