CVE-2026-25806 – This CVE describes a missing authorization vuln... (How to Fix)

Q: What is the severity of CVE-2026-25806?

CVE-2026-25806 has a CVSS score of 6.5 (MEDIUM). This CVE describes a missing authorization vulnerability in PlaciPy placement management system. Authenticated users can access, modify, or delete any student record regardless of permissions, affecting all educational institutions using version 1.0.0.

📋 TL;DR

This CVE describes a missing authorization vulnerability in PlaciPy placement management system. Authenticated users can access, modify, or delete any student record regardless of permissions, affecting all educational institutions using version 1.0.0.

💻 Affected Systems

Products:

PlaciPy

Versions: 1.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments of PlaciPy 1.0.0 regardless of configuration.

📦 What is this software?

Placipy by Prasklatechnology

View all CVEs affecting Placipy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious authenticated user could delete or modify all student records, causing data loss and system disruption.

🟠

Likely Case

Users accessing or modifying student records they shouldn't have access to, violating privacy and data integrity.

🟢

If Mitigated

Proper role-based access controls would limit users to only their authorized student records.

🌐 Internet-Facing: HIGH - If API endpoints are exposed to internet, any authenticated user can exploit this vulnerability.

🏢 Internal Only: HIGH - Even internally, authenticated users can access unauthorized student data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid authentication token but no special tools or knowledge - simple API requests can exploit this.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub advisory for latest patched version

Vendor Advisory: https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-99gr-8933-3vwj

Restart Required: Yes

Instructions:

1. Update to patched version from GitHub repository. 2. Restart the PlaciPy application. 3. Verify authorization checks are implemented in student routes.

🔧 Temporary Workarounds

API Gateway Rate Limiting

all

Implement rate limiting on student API endpoints to reduce impact of mass enumeration

Network Segmentation

all

Restrict access to student API endpoints to authorized networks only

🧯 If You Can't Patch

Implement reverse proxy with authorization checks before requests reach PlaciPy
Monitor all student API endpoint access for unusual patterns and implement alerting

🔍 How to Verify

Check if Vulnerable:

Test authenticated API calls to /api/students/:email endpoints with different user accounts to see if authorization is enforced

Check Version:

Check package.json or application version endpoint if available

Verify Fix Applied:

Verify that API endpoints now check user permissions before allowing student record access/modification

📡 Detection & Monitoring

Log Indicators:

Multiple student record accesses from single user account
User accessing student records with different email domains
Rapid sequence of student record modifications

Network Indicators:

Unusual patterns of GET/PUT/DELETE requests to student API endpoints
Requests to student endpoints from unauthorized IP ranges

SIEM Query:

source="placipy" AND (uri_path="/api/students/*" AND user_id!=student_email_domain)

📊 Metadata

CVE ID: CVE-2026-25806

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-862

EPSS Score: 0.04% exploit probability (11.5th percentile)

Published: February 9, 2026

Last Updated: February 11, 2026

🔗 References

https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-99gr-8933-3vwj Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25806, you might also want to check these: