CVE-2026-23488

EUVD-2026-14544

23.03.2026, 21:17

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note (including private notes) without authorization, even if the note has not been publicly shared. The /api/v1/comment/list endpoint has the same issue, allowing unauthorized viewing of comments on all notes. This issue has been patched in version 1.8.4.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
blinko	blinko	𝑥 < 1.8.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-639 - Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References

https://github.com/blinkospace/blinko/commit/4623dd02bdeed768ffa6fea4cc2f8644cbb08c5e

https://github.com/blinkospace/blinko/pull/1089

https://github.com/blinkospace/blinko/releases/tag/1.8.4

https://github.com/blinkospace/blinko/security/advisories/GHSA-84hm-vw62-472m