CVE-2026-25875
Published: 09 February 2026
Summary
CVE-2026-25875 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires the system to enforce approved authorizations for access, directly addressing the middleware's failure to verify JWT role and scope claims server-side.
Mandates processes for making access control decisions based on validated attributes, mitigating reliance on unverified client-controlled JWT claims.
Enforces least privilege to limit the scope and impact of unauthorized admin access gained through forged JWT role claims.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely exploitable authorization bypass in a network-accessible web application (PlaciPy), directly enabling adversaries to gain initial access and full admin privileges by exploiting a public/internet-facing application vulnerability without authentication.
NVD Description
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims (role and scope) without enforcing server-side role verification.
Deeper analysisAI
CVE-2026-25875 is a critical authorization vulnerability in PlaciPy version 1.0.0, an open-source placement management system designed for educational institutions. The issue resides in the admin authorization middleware, which blindly trusts client-controlled claims in JSON Web Tokens (JWTs), such as role and scope, without performing server-side verification of those roles. This flaw, classified under CWE-863 (Incorrect Authorization), earned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severity due to network accessibility, low complexity, and lack of prerequisites.
The vulnerability enables remote exploitation by any unauthenticated attacker with network access. By crafting a JWT token embedding falsified admin-level role and scope claims, an attacker can bypass authorization checks entirely. Successful exploitation grants full administrative privileges, allowing arbitrary actions such as data manipulation, user account control, or system disruption, with high impacts on confidentiality, integrity, and availability.
Mitigation guidance and additional details are available in the GitHub security advisory at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-mx95-8ppg-v574, published on 2026-02-09.
Details
- CWE(s)