CVE-2026-25876
Published: 09 February 2026
Summary
CVE-2026-25876 is a critical-severity Missing Authorization (CWE-862) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-16 (Security and Privacy Attributes).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations for access to information and resources, directly addressing the failure to implement object-level ownership checks in PlaciPy's results routes.
AC-6 implements least privilege to restrict access to only authorized objects, mitigating authenticated users' ability to retrieve unauthorized assessment results.
AC-16 manages security attributes like ownership to support fine-grained authorization rules absent in the vulnerable backend routes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing object-level authorization in public-facing web app routes directly enables T1190 exploitation for initial access and facilitates T1213 collection of data from the system's information repositories (assessment results).
NVD Description
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks). For example, this can be used to return all results for an assessment.
Deeper analysisAI
CVE-2026-25876 is a missing authorization vulnerability (CWE-862) in PlaciPy version 1.0.0, an open-source placement management system designed for educational institutions. The issue affects the backend/src/routes/results.routes.ts component, which properly verifies authentication but fails to enforce object-level authorization, such as ownership checks on resources. As a result, authenticated users can access data beyond their authorized scope, for example, retrieving all results for an assessment.
The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), making it exploitable over the network by unauthenticated attackers (PR:N) with low attack complexity and no user interaction required. Successful exploitation enables high-impact violations of confidentiality and integrity, allowing attackers to read or potentially modify unauthorized assessment results and other objects without ownership validation.
Mitigation details are available in the GitHub security advisory published by the PlaciPy maintainers at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-w238-w4mg-j357.
Details
- CWE(s)