CVE-2025-27134 Scanner

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint `PATCH /api/users/-id` to set the `is_admin` field to 1. The vulnerability allows malicious low-privileged users to perform administrative actions without proper authorization. This issue has been patched in version 3.3.3. Prior to version 3.3.3, a critical vulnerability exists in Joplin Server—CVE-2025-27134.

The vulnerability lies in the PATCH /api/users/{id} API endpoint, where any authenticated user can modify their own is_admin flag to 1, granting them full administrator privileges.

Once elevated, the user can perform administrative operations such as creating/deleting users and accessing all server data.

References:

• https://github.com/laurent22/joplin/security/advisories/GHSA-xj67-649m-3p8x
• https://nvd.nist.gov/vuln/detail/CVE-2025-27134