CVE-2026-23480

EUVD-2026-14529

23.03.2026, 21:17

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided password verification is skipped; there is no check for input.id === ctx.id (ownership verification). This could result in any authenticated user modifying other users' passwords, direct escalation to superadmin, and complete account takeover. This issue has been patched in version 1.8.4.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
blinko	blinko	𝑥 < 1.8.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-288 - Authentication Bypass Using an Alternate Path or Channel
A product requires authentication, but the product has an alternate path or channel that does not require authentication.

References

https://github.com/blinkospace/blinko/commit/3afbdf486b6f371bdac5781dea6289749f2c4c03

https://github.com/blinkospace/blinko/releases/tag/1.8.4

https://github.com/blinkospace/blinko/security/advisories/GHSA-r3mv-q7ww-86p6