CVE-2026-25083

HIGH

GROWI v7.4.5 and earlier - Auth Bypass

Title source: llm

Description

GROWI OpenAI thread/message API endpoints do not perform authorization. Affected are v7.4.5 and earlier versions. A logged-in user who knows a shared AI assistant's identifier may view and/or tamper the other user's threads/messages.

References (2)

Core 2

Core References

https://jvn.jp/en/jp/JVN46373837/

https://growi.co.jp/news/41/

Scores

CVSS v3 8.3

EPSS 0.0033

EPSS Percentile 24.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-862

Status published

Products (1)

GROWI, Inc./GROWI v7.4.5 and earlier

Published Mar 16, 2026

Tracked Since Mar 16, 2026