CVE-2020-7938
Description
plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Plone REST API privilege escalation in plone.restapi 5.2.0–5.2.1 allows users with certain privilege levels to reach the highest.
Vulnerability
Overview
CVE-2020-7938 is a privilege escalation vulnerability in the plone.restapi package used by Plone 5.2.0 through 5.2.1. The bug resides in the @sharing endpoint, which did not sufficiently restrict the roles a user could delegate during sharing operations. Because the endpoint allowed users to assign roles beyond those they were permitted to delegate, an authenticated user with limited privileges could escalate their own permissions to the highest level available in Plone [1][2][4].
Attack
Vector and Requirements
An attacker must be an authenticated user of a Plone site running the affected versions with plone.restapi installed. No other special network position is required; the exploitation is performed through normal HTTP requests to the @sharing REST API endpoint. The vulnerability was reported independently by Lukas Graf and Niklaus Johner, who also contributed the fix [2][3].
Impact
A successful exploitation allows an attacker to achieve full administrative control over the Plone instance, performing any action the highest-privileged user could. This includes modifying content, altering site configuration, and accessing sensitive data [2].
Mitigation
The Plone project released a security hotfix on 21 January 2020 (PloneHotfix20200121) that addresses this issue along with several others. The fix limits the roles available in the sharing endpoint to only those the current user is legitimately allowed to delegate [2][4]. Users are strongly advised to apply the hotfix or upgrade to a patched version.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
plone.restapiPyPI | < 6.2.1 | 6.2.1 |
PlonePyPI | >= 5.2.0, < 5.2.2 | 5.2.2 |
Affected products
3- Plone/Plonedescription
- ghsa-coords2 versions
>= 5.2.0, < 5.2.2+ 1 more
- (no CPE)range: >= 5.2.0, < 5.2.2
- (no CPE)range: < 6.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-cjg3-q24h-9qwfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7938ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/01/24/1ghsamailing-listx_refsource_MLISTWEB
- github.com/plone/plone.restapi/issues/857ghsaWEB
- github.com/plone/plone.restapi/pull/859ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2020-87.yamlghsaWEB
- plone.org/security/hotfix/20200121ghsax_refsource_MISCWEB
- plone.org/security/hotfix/20200121/privilege-escalation-when-plone-restapi-is-installedghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2020/01/22/1ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.