CVE-2026-42185 MEDIUM

CVE-2026-42185: People: Privilege Escalation via Missing Role Ceiling in Mail Domain Invitation

Vendor Suitenumerique
Product people
Weakness CWE-269
Published May 8, 2026
Last update May 8, 2026

CVSS base score

5.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user (including users with no current domain access) to the Owner role. The exploit requires a single authenticated HTTP request and grants full domain ownership immediately, without any acceptance step from the target. This issue has been patched in version 1.25.0.

Key dates

02Disclosure timeline

May 8, 2026 CVE published
May 8, 2026 Record updated