Cyber Resilience

CVE-2026-25811

Medium

Published: 09 February 2026

Published
09 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 18.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-25811 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-25811 affects PlaciPy version 1.0.0, a placement management system designed for educational institutions. The vulnerability stems from the application deriving the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This flaw, classified under CWE-863 (Incorrect Authorization), enables cross-tenant data access and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.

An unauthenticated attacker accessible over the network can exploit this vulnerability with low complexity and no user interaction required. By supplying an email address using the domain of a target tenant, the attacker bypasses authorization controls, gaining unauthorized read and write access to sensitive data belonging to other tenants within the multi-tenant environment.

Mitigation details and patches are outlined in the GitHub Security Advisory at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-3gmm-9ww2-87fh, which security practitioners should consult for remediation steps. The advisory was referenced following the CVE's publication on 2026-02-09.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This allows cross-tenant data access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

Public-facing multi-tenant web app authorization bypass (CWE-863) directly enables T1190 exploitation for initial access; resulting cross-tenant read/write access facilitates T1213 collection from information repositories.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25875Same product: Prasklatechnology Placipy
CVE-2026-25876Same product: Prasklatechnology Placipy
CVE-2026-25809Same product: Prasklatechnology Placipy
CVE-2026-25813Same product: Prasklatechnology Placipy
CVE-2026-25814Same product: Prasklatechnology Placipy
CVE-2026-25810Same product: Prasklatechnology Placipy
CVE-2026-25812Same product: Prasklatechnology Placipy
CVE-2026-25753Same product: Prasklatechnology Placipy
CVE-2025-21516Shared CWE-863
CVE-2025-21506Shared CWE-863

Affected Assets

prasklatechnology
placipy
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires correct access control decisions for tenant authorization, preventing derivation of tenant ID solely from unvalidated user-supplied email domains.

prevent

Enforces approved authorizations at the application level to block cross-tenant data access despite flawed tenant identification.

prevent

Applies least privilege to restrict user access strictly to their own tenant's data, mitigating unauthorized read/write across tenants.

References