CVE-2026-23480

HIGH

Blinko: Low Privilege User Privilege Escalation - upsertUser Endpoint

Title source: cna
STIX 2.1

Description

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided password verification is skipped; there is no check for input.id === ctx.id (ownership verification). This could result in any authenticated user modifying other users' passwords, direct escalation to superadmin, and complete account takeover. This issue has been patched in version 1.8.4.

References (3)

Scores

CVSS v3 8.8
EPSS 0.0002
EPSS Percentile 4.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-288
Status published
Products (2)
blinko/blinko < 1.8.4
blinkospace/blinko < 1.8.4
Published Mar 23, 2026
Tracked Since Mar 24, 2026