CVE-2026-42185— People: Privilege Escalation via Missing Role Ceiling in Mail Domain Invitation
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42185
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
People: Privilege Escalation via Missing Role Ceiling in Mail Domain Invitation
Source: NVD (National Vulnerability Database)
Vulnerability Description
People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user (including users with no current domain access) to the Owner role. The exploit requires a single authenticated HTTP request and grants full domain ownership immediately, without any acceptance step from the target. This issue has been patched in version 1.25.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
特权管理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
People 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
People是La Suite numérique开源的一个用户与团队权限管理应用。 People 1.25.0之前版本存在安全漏洞,该漏洞源于持有邮件域管理员角色的用户可通过精心设计的邀请请求将任何现有用户提升为所有者角色,可能导致权限提升。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| suitenumerique | people | < 1.25.0 | - |
II. Public POCs for CVE-2026-42185
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42185
请登录查看更多情报信息。
- Release v1.25.0 · suitenumerique/people · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-42185
IV. Related Vulnerabilities
Same weakness: CWE-269
- CVE-2026-42562
Plainpad: Privilege Escalation via Writable Admin Field in P - CVE-2026-41163
bubblewrap vulnerable to privilege escalation in setuid mode - CVE-2026-44987
SysReptor: Privilege Escalation from User Admin to Superuser - CVE-2026-40001
Local privilege escalation vulnerability in ZTE PROCESS Guar - CVE-2026-7778
runZero Platform dashboard configuration exposure
V. Comments for CVE-2026-42185
No comments yet