CVE-2025-27134
published 2025-04-30CVE-2025-27134: Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a…
PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.70%
74.4th percentile
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint `PATCH /api/users/:id` to set the `is_admin` field to 1. The vulnerability allows malicious low-privileged users to perform administrative actions without proper authorization. This issue has been patched in version 3.3.3.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joplin_project | joplin | < 3.3.3 | 3.3.3 |
| laurent22 | joplin | < 3.3.3 | 3.3.3 |
Detection & IOCsextracted from sources · hover to see the quote
path/api/sessions
path/api/users
cookiesessionId={{session_id}}
command{ "is_admin": 1 }
- →Monitor for PATCH requests to /api/users/<id> from non-admin authenticated sessions containing the JSON body field `is_admin` set to 1, which indicates a privilege escalation attempt. ↗
- →Successful exploitation is confirmed when GET /api/users returns HTTP 200 and the response body contains an item with `is_admin == 1` matching the attacker's user_id.
- →The session cookie name used by Joplin Server is `sessionId`; monitor for this cookie being used in PATCH /api/users requests from low-privileged accounts.
- →Joplin Server instances can be discovered via Shodan using the query title:"Joplin Server" to identify exposed targets.
- ·The Nuclei template uses default credentials (admin@localhost / admin) for the initial session POST. Detection/exploitation only works if default credentials are in use or valid low-privileged credentials are supplied.
- ·The vulnerability affects Joplin Server versions prior to 3.3.3 only; instances running 3.3.3 or later are patched and not vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
Joplin 3.3.3 Server - Privilege Escalation
nuclei·CVSS 8.8
CVE-2025-27134 [HIGH] Joplin 3.3.3 Server - Privilege Escalation
Joplin 3.3.3 Server - Privilege Escalation
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint `PATCH /api/users/-id` to set the `is_admin` field to 1. The vulnerability allows malicious low-privileged users to perform administrative actions without proper authorization. This issue has been patched in version 3.3.3.
Template:
id: CVE-2025-27134
info:
name: Joplin 3.3.3 Server - Privilege Escalation
author: zonia3000
severity: high
description: |
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into no
No writeups or analysis indexed.
2025-04-30
Published