Skip to main content

Suite Numérique People CVE-2026-42185

| EUVD-2026-28821 MEDIUM
Improper Privilege Management (CWE-269)
2026-05-08 GitHub_M
Privilege Escalation
5.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

4
Patch available
May 08, 2026 - 21:03 EUVD
Source Code Evidence Fetched
May 08, 2026 - 20:01 vuln.today
Analysis Generated
May 08, 2026 - 20:01 vuln.today
CVE Published
May 08, 2026 - 19:23 nvd
MEDIUM 5.5

DescriptionNVD

People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user (including users with no current domain access) to the Owner role. The exploit requires a single authenticated HTTP request and grants full domain ownership immediately, without any acceptance step from the target. This issue has been patched in version 1.25.0.

AnalysisAI

Privilege escalation in Suite Numérique People prior to version 1.25.0 allows authenticated domain administrators to remotely promote any existing user to Owner role via a crafted invitation request, without requiring acceptance from the target user. The vulnerability requires valid Administrator credentials on a mail domain but grants immediate full domain ownership, creating a severe lateral privilege escalation risk within multi-tenant deployments.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-42185 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy