CVE-2026-23487

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/blinkospace/blinko/commit/bef6b770743e87c630db2d00d7049dabd96bfe85	Patch
https://github.com/blinkospace/blinko/releases/tag/1.8.4	Release Notes
https://github.com/blinkospace/blinko/security/advisories/GHSA-4ffv-78qx-9p66	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*

History

24 Mar 2026, 18:04

Type	Values Removed	Values Added
First Time		Blinko Blinko blinko
References	~~() https://github.com/blinkospace/blinko/commit/bef6b770743e87c630db2d00d7049dabd96bfe85 -~~	() https://github.com/blinkospace/blinko/commit/bef6b770743e87c630db2d00d7049dabd96bfe85 - Patch
References	~~() https://github.com/blinkospace/blinko/releases/tag/1.8.4 -~~	() https://github.com/blinkospace/blinko/releases/tag/1.8.4 - Release Notes
References	~~() https://github.com/blinkospace/blinko/security/advisories/GHSA-4ffv-78qx-9p66 -~~	() https://github.com/blinkospace/blinko/security/advisories/GHSA-4ffv-78qx-9p66 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
CPE		cpe:2.3:a:blinko:blinko::::::::
Summary		(es) Blinko es un proyecto de toma de notas en tarjetas impulsado por IA. Antes de la versión 1.8.4, existe una vulnerabilidad IDOR donde el endpoint user.detail filtra el token de superadministrador. Este problema ha sido parcheado en la versión 1.8.4.

23 Mar 2026, 21:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-23 21:17

Updated : 2026-03-24 18:04

NVD link : CVE-2026-23487

Mitre link : CVE-2026-23487

CVE.ORG link : CVE-2026-23487

JSON object : View

Products Affected

blinko

blinko

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-23487", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-23T21:17:03.127", "references": [{"url": "https://github.com/blinkospace/blinko/commit/bef6b770743e87c630db2d00d7049dabd96bfe85", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-4ffv-78qx-9p66", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4."}, {"lang": "es", "value": "Blinko es un proyecto de toma de notas en tarjetas impulsado por IA. Antes de la versi\u00f3n 1.8.4, existe una vulnerabilidad IDOR donde el endpoint user.detail filtra el token de superadministrador. Este problema ha sido parcheado en la versi\u00f3n 1.8.4."}], "lastModified": "2026-03-24T18:04:33.710", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "31941A3D-C688-40DF-AA55-1AF9056275D0", "versionEndExcluding": "1.8.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}