Skip to main content

CVE-2025-27134: CWE-284: Improper Access Control in laurent22 joplin

High
VulnerabilityCVE-2025-27134cvecve-2025-27134cwe-284
Published: Wed Apr 30 2025 (04/30/2025, 14:55:10 UTC)
Source: CVE
Vendor/Project: laurent22
Product: joplin

Description

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint `PATCH /api/users/:id` to set the `is_admin` field to 1. The vulnerability allows malicious low-privileged users to perform administrative actions without proper authorization. This issue has been patched in version 3.3.3.

AI-Powered Analysis

AILast updated: 06/25/2025, 07:45:22 UTC

Technical Analysis

CVE-2025-27134 is a high-severity privilege escalation vulnerability affecting versions of the Joplin server prior to 3.3.3. Joplin is an open-source note-taking and to-do application that supports organizing notes into notebooks and offers a server component for synchronization and multi-user collaboration. The vulnerability arises from improper access control (CWE-284) in the API endpoint PATCH /api/users/:id. Specifically, non-administrative users can exploit this endpoint to modify the 'is_admin' field of their user account to 1, effectively granting themselves administrative privileges without proper authorization. This flaw allows an attacker with low privileges to escalate their access rights to administrator level, enabling them to perform any administrative actions on the server, including managing other users, accessing sensitive notes, or altering server configurations. The vulnerability has a CVSS 3.1 base score of 8.8, indicating high severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), privileges required as low (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The issue was patched in Joplin server version 3.3.3. No known exploits in the wild have been reported as of the publication date (April 30, 2025).

Potential Impact

For European organizations using Joplin server versions prior to 3.3.3, this vulnerability poses a significant risk. An attacker with a valid low-privilege user account can escalate privileges to administrator, potentially gaining full control over the note-taking environment. This can lead to unauthorized access to sensitive corporate or personal information stored in notes, manipulation or deletion of critical data, disruption of collaboration workflows, and compromise of user privacy. Given Joplin's use in both personal and professional contexts, organizations relying on it for internal documentation or task management could face data breaches, operational disruption, and reputational damage. The high impact on confidentiality, integrity, and availability means that exploitation could severely affect business continuity and compliance with data protection regulations such as GDPR. Additionally, since the attack requires no user interaction and can be performed remotely over the network, the threat is easily exploitable by insiders or external attackers who have obtained low-level credentials.

Mitigation Recommendations

European organizations should immediately verify the version of their Joplin server deployments and upgrade all instances to version 3.3.3 or later, where the vulnerability is patched. If upgrading is not immediately feasible, organizations should implement strict network access controls to restrict access to the Joplin server API endpoints to trusted users and networks only. Monitoring and logging of API requests to the PATCH /api/users/:id endpoint should be enabled to detect any unauthorized attempts to modify user privileges. Additionally, organizations should enforce strong authentication mechanisms and consider multi-factor authentication to reduce the risk of credential compromise. Regular audits of user privileges should be conducted to identify and remediate any unauthorized administrative accounts. Finally, organizations should educate users about the importance of safeguarding their credentials and promptly report any suspicious activity related to their accounts.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-02-19T16:30:47.774Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d983bc4522896dcbedf0d

Added to database: 5/21/2025, 9:09:15 AM

Last enriched: 6/25/2025, 7:45:22 AM

Last updated: 8/10/2025, 11:00:55 AM

Views: 16

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats