CVE-2026-23488

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note (including private notes) without authorization, even if the note has not been publicly shared. The /api/v1/comment/list endpoint has the same issue, allowing unauthorized viewing of comments on all notes. This issue has been patched in version 1.8.4.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/blinkospace/blinko/commit/4623dd02bdeed768ffa6fea4cc2f8644cbb08c5e	Patch
https://github.com/blinkospace/blinko/pull/1089	Release Notes
https://github.com/blinkospace/blinko/releases/tag/1.8.4	Release Notes
https://github.com/blinkospace/blinko/security/advisories/GHSA-84hm-vw62-472m	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*

History

24 Mar 2026, 18:03

Type	Values Removed	Values Added
Summary		(es) Blinko es un proyecto de toma de notas en tarjetas impulsado por IA. Antes de la versión 1.8.4, el endpoint /api/v1/comment/create tiene una vulnerabilidad de acceso no autorizado, permitiendo a los atacantes publicar comentarios en cualquier nota (incluidas las notas privadas) sin autorización, incluso si la nota no ha sido compartida públicamente. El endpoint /api/v1/comment/list tiene el mismo problema, permitiendo la visualización no autorizada de comentarios en todas las notas. Este problema ha sido parcheado en la versión 1.8.4.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
First Time		Blinko Blinko blinko
CPE		cpe:2.3:a:blinko:blinko::::::::
References	~~() https://github.com/blinkospace/blinko/commit/4623dd02bdeed768ffa6fea4cc2f8644cbb08c5e -~~	() https://github.com/blinkospace/blinko/commit/4623dd02bdeed768ffa6fea4cc2f8644cbb08c5e - Patch
References	~~() https://github.com/blinkospace/blinko/pull/1089 -~~	() https://github.com/blinkospace/blinko/pull/1089 - Release Notes
References	~~() https://github.com/blinkospace/blinko/releases/tag/1.8.4 -~~	() https://github.com/blinkospace/blinko/releases/tag/1.8.4 - Release Notes
References	~~() https://github.com/blinkospace/blinko/security/advisories/GHSA-84hm-vw62-472m -~~	() https://github.com/blinkospace/blinko/security/advisories/GHSA-84hm-vw62-472m - Vendor Advisory

23 Mar 2026, 21:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-23 21:17

Updated : 2026-03-24 18:03

NVD link : CVE-2026-23488

Mitre link : CVE-2026-23488

CVE.ORG link : CVE-2026-23488

JSON object : View

Products Affected

blinko

blinko

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

5.3 /10