Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.3
CVE-2026-42562: Plainpad self-hosted note taking app admin access escalation
CVE-2026-42562
Summary
A user with limited access to Plainpad can gain full admin rights by submitting a specific request. This could allow them to access and modify sensitive data. Update to version 1.1.1 to fix this issue.
Original title
Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/u...
Original description
Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/{id}. The endpoint directly persists the admin attribute from user input, and the escalated account can immediately access admin-only routes. This issue has been patched in version 1.1.1.
nvd CVSS3.1
8.3
Vulnerability type
CWE-269
Improper Privilege Management
Published: 9 May 2026 · Updated: 28 May 2026 · First seen: 9 May 2026