CVE-2025-27134

Name of the Vulnerable Software and Affected Versions Joplin versions prior to 3.3.3

Description The issue concerns a privilege escalation vulnerability in the Joplin server. This vulnerability allows non-admin users to exploit the API endpoint PATCH /api/users/:id to set the is admin field to 1, enabling them to perform administrative actions without proper authorization.

Recommendations For versions prior to 3.3.3, update to version 3.3.3 to resolve the issue. As a temporary workaround, consider restricting access to the PATCH /api/users/:id API endpoint to prevent exploitation. Additionally, restrict the ability to set the is admin field to authorized personnel only.