CVE-2025-27134
📋 TL;DR
This privilege escalation vulnerability in Joplin server allows non-admin users to modify their own user accounts via the PATCH /api/users/:id endpoint to set the is_admin field to 1, granting themselves administrative privileges. All Joplin server instances prior to version 3.3.3 are affected. This enables malicious low-privileged users to perform unauthorized administrative actions.
💻 Affected Systems
- Joplin Server
📦 What is this software?
Joplin by Joplin Project
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full administrative control over the Joplin server, allowing them to access, modify, or delete all notes, manage all users, and potentially execute arbitrary code if other vulnerabilities exist.
Likely Case
A malicious user elevates their privileges to admin, gaining unauthorized access to sensitive notes and the ability to disrupt service for other users.
If Mitigated
With proper network segmentation and access controls, impact is limited to the Joplin server instance, but admin privileges could still be abused within that scope.
🎯 Exploit Status
Exploitation requires a valid non-admin user account. The vulnerability is straightforward to exploit via API calls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.3
Vendor Advisory: https://github.com/laurent22/joplin/security/advisories/GHSA-xj67-649m-3p8x
Restart Required: Yes
Instructions:
1. Backup your Joplin Server data. 2. Stop the Joplin Server service. 3. Update to version 3.3.3 using your package manager or by downloading from GitHub. 4. Restart the Joplin Server service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable user management API for non-admins
allTemporarily restrict access to the PATCH /api/users/:id endpoint for non-admin users using a reverse proxy or firewall rules.
Monitor admin privilege changes
allImplement logging and alerting for any changes to user admin status.
🧯 If You Can't Patch
- Restrict network access to Joplin Server to only trusted users and networks.
- Regularly audit user accounts and monitor for unauthorized admin privilege changes.
🔍 How to Verify
Check if Vulnerable:
Check if Joplin Server version is below 3.3.3 by accessing the server's web interface or checking the service version.Check Version:
curl -s http://your-joplin-server:port/health | grep versionVerify Fix Applied:
After updating, verify the version is 3.3.3 or higher and test that non-admin users cannot modify the is_admin field via the API.📡 Detection & Monitoring
Log Indicators:
- API calls to PATCH /api/users/:id with is_admin field modification from non-admin users
- Unexpected changes in user privilege levels
Network Indicators:
- HTTP PATCH requests to user API endpoints from non-admin IP addresses
SIEM Query:
source="joplin-server" AND (method="PATCH" AND uri="/api/users/*" AND request_body LIKE "%is_admin%")