CVE-2026-61463

HIGH

Shiori Authenticated Privilege Escalation via PATCH /api/v1/auth/account

Title source: cna
STIX 2.1

Description

Shiori contains a privilege escalation vulnerability in the account update endpoint that allows authenticated users to modify the owner field without authorization checks. Attackers can escalate to administrator by submitting a crafted PATCH request with owner: true, then re-authenticate to obtain an admin JWT token granting full system access.

Scores

CVSS v3 8.8
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-269
Status published
Products (1)
go-shiori/shiori < 1.8.0
Published Jul 13, 2026
Tracked Since Jul 13, 2026