Privilege escalation when plone.restapi is installed

Versions affected

  • 5.2.1
  • 5.2.0


Sites using plone.restapi allow for users with a certain privilege level to escalate their privileges up to the highest level. A site is only vulnerable when plone.restapi is installed in the add-ons (modules) control panel. plone.restapi is included since Plone version 5.2, but not installed by default.

Current status



Discovered by

  • Lukas Graf
  • Niklaus Johner

Fixed by

  • Lukas Graf
  • Niklaus Johner

Coordinated by

  • Plone Security Team