CVE-2026-23480

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided password verification is skipped; there is no check for input.id === ctx.id (ownership verification). This could result in any authenticated user modifying other users' passwords, direct escalation to superadmin, and complete account takeover. This issue has been patched in version 1.8.4.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/blinkospace/blinko/commit/3afbdf486b6f371bdac5781dea6289749f2c4c03	Patch
https://github.com/blinkospace/blinko/releases/tag/1.8.4	Release Notes
https://github.com/blinkospace/blinko/security/advisories/GHSA-r3mv-q7ww-86p6	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*

History

24 Mar 2026, 18:33

Type	Values Removed	Values Added
First Time		Blinko Blinko blinko
Summary		(es) Blinko es un proyecto de toma de notas en tarjetas impulsado por IA. Antes de la versión 1.8.4, existe una vulnerabilidad de escalada de privilegios. El endpoint upsertUser tiene 3 problemas: le falta superAdminAuthMiddleware, cualquier usuario con sesión iniciada puede llamarlo; el originalPassword es un parámetro opcional y si no se proporciona, la verificación de contraseña se omite; no hay una verificación para input.id === ctx.id (verificación de propiedad). Esto podría resultar en que cualquier usuario autenticado modifique las contraseñas de otros usuarios, una escalada directa a superadministrador y una toma de control completa de la cuenta. Este problema ha sido parcheado en la versión 1.8.4.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
References	~~() https://github.com/blinkospace/blinko/commit/3afbdf486b6f371bdac5781dea6289749f2c4c03 -~~	() https://github.com/blinkospace/blinko/commit/3afbdf486b6f371bdac5781dea6289749f2c4c03 - Patch
References	~~() https://github.com/blinkospace/blinko/releases/tag/1.8.4 -~~	() https://github.com/blinkospace/blinko/releases/tag/1.8.4 - Release Notes
References	~~() https://github.com/blinkospace/blinko/security/advisories/GHSA-r3mv-q7ww-86p6 -~~	() https://github.com/blinkospace/blinko/security/advisories/GHSA-r3mv-q7ww-86p6 - Vendor Advisory
CPE		cpe:2.3:a:blinko:blinko::::::::

23 Mar 2026, 21:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-23 21:17

Updated : 2026-03-24 18:33

NVD link : CVE-2026-23480

Mitre link : CVE-2026-23480

CVE.ORG link : CVE-2026-23480

JSON object : View

Products Affected

blinko

blinko

CWE

CWE-288

Authentication Bypass Using an Alternate Path or Channel

8.8 /10