cbcvebase.
CVE-2025-27134
published 2025-04-30

CVE-2025-27134: Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.70%
74.4th percentile
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint `PATCH /api/users/:id` to set the `is_admin` field to 1. The vulnerability allows malicious low-privileged users to perform administrative actions without proper authorization. This issue has been patched in version 3.3.3.

Affected

2 ranges
VendorProductVersion rangeFixed in
joplin_projectjoplin< 3.3.33.3.3
laurent22joplin< 3.3.33.3.3

Detection & IOCsextracted from sources · hover to see the quote

urlPATCH /api/users/:id
path/api/users/:id
path/api/sessions
path/api/users
cookiesessionId={{session_id}}
command{ "is_admin": 1 }
  • Monitor for PATCH requests to /api/users/<id> from non-admin authenticated sessions containing the JSON body field `is_admin` set to 1, which indicates a privilege escalation attempt.
  • Successful exploitation is confirmed when GET /api/users returns HTTP 200 and the response body contains an item with `is_admin == 1` matching the attacker's user_id.
  • The session cookie name used by Joplin Server is `sessionId`; monitor for this cookie being used in PATCH /api/users requests from low-privileged accounts.
  • Joplin Server instances can be discovered via Shodan using the query title:"Joplin Server" to identify exposed targets.
  • ·The Nuclei template uses default credentials (admin@localhost / admin) for the initial session POST. Detection/exploitation only works if default credentials are in use or valid low-privileged credentials are supplied.
  • ·The vulnerability affects Joplin Server versions prior to 3.3.3 only; instances running 3.3.3 or later are patched and not vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.