Home / Vulnerability Intelligence / CVE-2026-42562

CVE-2026-42562 - Vulnerability Analysis

HighCVSS: 8.3

Last Updated: May 9, 2026

Plainpad - Broken Access Control

Published: May 9, 2026Updated: May 9, 2026Remote Exploitable

Overview

Plainpad < 1.1.1 contains a broken access control vulnerability caused by direct persistence of the admin attribute from user input in PUT /api.php/v1/users/{id}, letting low-privilege authenticated users escalate to administrator, exploit requires user authentication.

Severity & Score

Severity: High

CVSS Score: 8.3

Impact

Authenticated low-privilege users can escalate to administrator, gaining full admin access and control over the application.

Mitigation

Upgrade to version 1.1.1 or later.

References

https://github.com/alextselegidis/plainpad/issues/138
https://github.com/alextselegidis/plainpad/releases/tag/1.1.1
https://github.com/alextselegidis/plainpad/security/advisories/GHSA-pvfv-wvpm-q6f6
https://github.com/alextselegidis/plainpad/commit/9216a876d27b22c3d9259551636d803f7cb075fc

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-42562
Severity: High
CVSS Score: 8.3
Type: broken_access_control
Status: new

CWE

CWE-269

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L