CVE-2026-25811
Published: 09 February 2026
Summary
CVE-2026-25811 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires correct access control decisions for tenant authorization, preventing derivation of tenant ID solely from unvalidated user-supplied email domains.
Enforces approved authorizations at the application level to block cross-tenant data access despite flawed tenant identification.
Applies least privilege to restrict user access strictly to their own tenant's data, mitigating unauthorized read/write across tenants.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public-facing multi-tenant web app authorization bypass (CWE-863) directly enables T1190 exploitation for initial access; resulting cross-tenant read/write access facilitates T1213 collection from information repositories.
NVD Description
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This allows cross-tenant data access.
Deeper analysisAI
CVE-2026-25811 affects PlaciPy version 1.0.0, a placement management system designed for educational institutions. The vulnerability stems from the application deriving the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This flaw, classified under CWE-863 (Incorrect Authorization), enables cross-tenant data access and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.
An unauthenticated attacker accessible over the network can exploit this vulnerability with low complexity and no user interaction required. By supplying an email address using the domain of a target tenant, the attacker bypasses authorization controls, gaining unauthorized read and write access to sensitive data belonging to other tenants within the multi-tenant environment.
Mitigation details and patches are outlined in the GitHub Security Advisory at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-3gmm-9ww2-87fh, which security practitioners should consult for remediation steps. The advisory was referenced following the CVE's publication on 2026-02-09.
Details
- CWE(s)