Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user (including users with no current domain access) to the Owner role. The exploit requires a single authenticated HTTP request and grants full domain ownership immediately, without any acceptance step from the target. This issue has been patched in version 1.25.0.
AnalysisAI
Privilege escalation in Suite Numérique People prior to version 1.25.0 allows authenticated domain administrators to remotely promote any existing user to Owner role via a crafted invitation request, without requiring acceptance from the target user. The vulnerability requires valid Administrator credentials on a mail domain but grants immediate full domain ownership, creating a severe lateral privilege escalation risk within multi-tenant deployments.
Technical ContextAI
People is a user and team management service within La Suite that handles domain access control through role-based invitation and access models. The vulnerability exists in the mail domain invitation API endpoint, which failed to properly validate and restrict the role assignment during invitation creation. The affected code path allows an authenticated Administrator to specify an arbitrary role (including Owner) when crafting an invitation for an existing user, bypassing role hierarchy validation. The fix enforces strict role validation to prevent elevation beyond the inviter's own role and ensures invitations preserve intended role constraints. CWE-269 (Improper Access Control) encompasses this failure to properly restrict administrative capabilities.
RemediationAI
Upgrade Suite Numérique People to version 1.25.0 or later immediately. The patched version enforces strict role validation, preventing administrators from assigning roles equal to or higher than their own and ensuring invitations cannot elevate users beyond authorized levels. Apply the fix from GitHub commit 6a51b96d8e907483fa8fc489d8714cc35fb4099b or deploy released version 1.25.0 from https://github.com/suitenumerique/people/releases/tag/v1.25.0. Until patching is feasible, apply compensating controls by restricting Administrator role assignment to highly trusted personnel only, implementing audit logging on all domain invitation API calls to detect anomalous Owner-role invitation attempts, and regularly reviewing MailDomainAccess records for unexpected Owner assignments. Note that these controls do not prevent exploitation by a compromised administrator account and are temporary measures only.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28821