Self-escalation Vulnerability in Plainpad Note Taking Application
CVE-2026-42562

8.3HIGH

Key Information:

Vendor

Alextselegidis

Status
Plainpad
Vendor
CVE Published:
9 May 2026

What is CVE-2026-42562?

In the Plainpad note taking application, a vulnerability exists that allows a low-privilege authenticated user to escalate their privileges to that of an administrator. This occurs through the exploitation of the PUT /api.php/v1/users/{id} endpoint, where an attacker can submit 'admin=true' as input. The application incorrectly trusts this input and directly persists the admin attribute, granting the attacker immediate access to admin-only routes. This issue has been addressed in version 1.1.1, emphasizing the importance of not relying on user input for critical security attributes.

Affected Version(s)

plainpad < 1.1.1

References

https://github.com/alextselegidis/plainpad/security/advis...
x_refsource_CONFIRM
https://github.com/alextselegidis/plainpad/issues/138
x_refsource_MISC
https://github.com/alextselegidis/plainpad/commit/9216a87...
x_refsource_MISC

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.