CVE-2026-23480 - Blinko: Low Privilege User Privilege Escalation - upsertUser Endpoint
CVE ID :CVE-2026-23480
Published : March 23, 2026, 8:39 p.m. | 23 minutes ago
Description :Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided password verification is skipped; there is no check for input.id === ctx.id (ownership verification). This could result in any authenticated user modifying other users' passwords, direct escalation to superadmin, and complete account takeover. This issue has been patched in version 1.8.4.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : March 23, 2026, 8:39 p.m. | 23 minutes ago
Description :Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided password verification is skipped; there is no check for input.id === ctx.id (ownership verification). This could result in any authenticated user modifying other users' passwords, direct escalation to superadmin, and complete account takeover. This issue has been patched in version 1.8.4.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...