CVE-2026-42562: Plainpad Privilege Escalation Bug Lets Authenticated Users Hijack Admin Accounts

A critical privilege escalation vulnerability has been identified in Plainpad, a self-hosted note-taking application, potentially exposing organizations to unauthorized administrative access. The flaw, tracked as CVE-2026-42562 with a CVSS score of 8.3 (High severity), allows any authenticated user with low-level privileges to escalate their account permissions to administrator by manipulating API requests. The vulnerability affects all versions prior to 1.1.1.

The issue stems from an insecure direct object reference (IDOR) in the application's user management endpoint. Specifically, the PUT /api.php/v1/users/{id} API route accepts and directly persists the "admin" parameter without performing adequate authorization checks. A low-privilege attacker can simply submit "admin=true" within their request, and the system grants them full administrative control over the Plainpad instance. This means any user account—even those created with minimal permissions—can be weaponized to access sensitive notes, modify configurations, or exfiltrate data across the entire platform.

Security researchers warn that self-hosted Plainpad deployments are at immediate risk, particularly in environments where the application is accessible over the internet or shared among multiple users with varying trust levels. Organizations running affected versions should upgrade to version 1.1.1 or later without delay. Until patches are applied, network-level restrictions on API endpoints and strict access controls may serve as interim mitigations. The disclosure underscores ongoing concerns about authorization flaws in lightweight self-hosted applications, where developers sometimes prioritize convenience over robust access control mechanisms.