Medium severity5.5NVD Advisory· Published May 8, 2026· Updated May 13, 2026
CVE-2026-42185
CVE-2026-42185
Description
People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user (including users with no current domain access) to the Owner role. The exploit requires a single authenticated HTTP request and grants full domain ownership immediately, without any acceptance step from the target. This issue has been patched in version 1.25.0.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
50- Meta’s confusing new approach to chat privacyMalwarebytes Labs · May 15, 2026
- MPs want social media treated more like unsafe toys than harmless appsThe Register Security · May 15, 2026
- Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student dataThe Register Security · May 14, 2026
- ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ StoriesThe Hacker News · May 14, 2026
- The Dark Side of Efficiency: When Network Controllers Become "God Mode" for AttackersRapid7 Blog · May 14, 2026
- How Dangerous Is Anthropic’s Mythos AI?Schneier on Security · May 14, 2026
- Why Malwarebytes blocks some Yahoo Mail redirectsMalwarebytes Labs · May 14, 2026
- To gain root access at this company, all an intruder had to do was ask nicelyThe Register Security · May 14, 2026
- To gain root access at this company, all an intruder had to do was ask nicelyThe Register Security · May 14, 2026
- AI models are getting better at replacing cybersecurity pros on certain tasksThe Register Security · May 14, 2026
- Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbitsThe Register Security · May 13, 2026
- Dark Reading Celebrates 20 Years as a Leading Authority on Cybersecurity, Highlighting the People, Events, Ideas, and Technologies Shaping the Modern Risk LandscapeDark Reading · May 13, 2026
- Mystery Microsoft bug leaker keeps the zero-days comingThe Register Security · May 13, 2026
- Thus Spoke…The GentlemenCheck Point Research · May 13, 2026
- Securing data centers in the agentic AI eraTenable Blog · May 13, 2026
- Breaking things to keep them safe with Philippe LaulheretCisco Talos Intelligence · May 13, 2026
- [GUEST DIARY] Tearing apart website fraud to see how it works., (Wed, May 13th)SANS Internet Storm Center · May 13, 2026
- Apple, Google drag cross-platform texting into the encrypted ageThe Register Security · May 12, 2026
- 1 in 8 employees have sold company logins or know someone who hasMalwarebytes Labs · May 12, 2026
- Tech Can't Stop These Threats — Your People CanDark Reading · May 11, 2026
- Poor security left hackers inside water company network for nearly two yearsHelp Net Security · May 11, 2026
- Why we use CAPTCHAs, (Mon, May 11th)SANS Internet Storm Center · May 11, 2026
- Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotagedThe Register Security · May 11, 2026
- Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotagedThe Register Security · May 11, 2026
- ShinyHunters Claims Second Attack Against InstructureDark Reading · May 8, 2026
- One Click, Total Shutdown: The "Patient Zero" Webinar on Killing Stealth BreachesThe Hacker News · May 8, 2026
- Meta U-turns on encryption push for Instagram as DMs go plaintextThe Register Security · May 8, 2026
- Zara data breach exposed personal information of 197,000 peopleBleepingComputer · May 8, 2026
- Building for the futureCloudflare Blog · May 7, 2026
- Unplug your way to better codeCisco Talos Intelligence · May 7, 2026
- 60% of MD5 password hashes are crackable in under an hourThe Register Security · May 7, 2026
- 1 in 8 employees totally cool with selling work credentialsThe Register Security · May 6, 2026
- Google Chrome’s silent 4GB AI download problem [updated]Malwarebytes Labs · May 6, 2026
- Sysdig delivers cloud security that runs inside AI coding agentsHelp Net Security · May 6, 2026
- UK age-gating plans risk breaking the internet, privacy groups warnThe Register Security · May 6, 2026
- Vimeo data breach exposes personal information of 119,000 peopleBleepingComputer · May 5, 2026
- Shadow IT has given way to shadow AI. Enter AI-BOMsThe Register Security · May 4, 2026
- Thousands of Facebook accounts stolen by phishing emails sent through GoogleMalwarebytes Labs · May 4, 2026
- The 2026 World Cup scam economy is already running before the first whistleMalwarebytes Labs · May 4, 2026
- Hacking PolymarketSchneier on Security · May 4, 2026
- If the vote you rocked, your personal info can be grokkedThe Register Security · May 4, 2026
- If the vote you rocked, your personal info can be grokkedThe Register Security · May 4, 2026
- Your work apps are quietly handing 19 data points to someoneHelp Net Security · May 4, 2026
- 3 easy-to-miss cybersecurity risks for small businessesMalwarebytes Labs · May 3, 2026
- Code Orange: Fail Small is complete. The result is a stronger Cloudflare networkCloudflare Blog · May 1, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 18SentinelOne Labs · May 1, 2026
- Vulnerability remediation: Match CVEs to asset owners in seconds with Tenable Hexa AITenable Blog · May 1, 2026
- OpenAI locks GPT-5.5-Cyber behind velvet rope despite slamming Anthropic for doing exactly thatThe Register Security · May 1, 2026
- Actively exploited cPanel bug exposes millions of websites to takeoverMalwarebytes Labs · May 1, 2026
- Great responsibility, without great powerCisco Talos Intelligence · Apr 30, 2026