Description
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided password verification is skipped; there is no check for input.id === ctx.id (ownership verification). This could result in any authenticated user modifying other users' passwords, direct escalation to superadmin, and complete account takeover. This issue has been patched in version 1.8.4.
Published: 2026-03-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

A privilege escalation flaw exists in the upsertUser endpoint of Blinko, an AI‑driven card note‑taking system. The endpoint is missing a superAdminAuthMiddleware, accepts an optional originalPassword field that bypasses verification when omitted, and fails to verify that the target user ID matches the caller’s own ID. These oversights allow any authenticated user to change another user's password, elevate privileges to a superadmin level, and ultimately take full control of that account.

Affected Systems

The vulnerability affects the blinkospace Blinko application. All versions before 1.8.4 are vulnerable. The patch is available in release 1.8.4 as referenced in the official advisory.

Risk and Exploitability

The CVSS score is 5.3, indicating medium severity, and the EPSS score is below 1%, suggesting a low probability of exploitation. It is not listed in the CISA KEV catalog. Attackers must be authenticated to the application and can exploit the unguarded upsertUser endpoint locally; thus the likely attack vector is an internal, authenticated user path.

Generated by OpenCVE AI on March 24, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Blinko to version 1.8.4 or later
  • If an update cannot be performed immediately, restrict or disable the upsertUser endpoint to prevent unauthorized use until the patch is applied

Generated by OpenCVE AI on March 24, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Blinko
Blinko blinko
CPEs cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*
Vendors & Products Blinko
Blinko blinko
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Blinkospace
Blinkospace blinko
Vendors & Products Blinkospace
Blinkospace blinko

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided password verification is skipped; there is no check for input.id === ctx.id (ownership verification). This could result in any authenticated user modifying other users' passwords, direct escalation to superadmin, and complete account takeover. This issue has been patched in version 1.8.4.
Title Blinko: Low Privilege User Privilege Escalation - upsertUser Endpoint
Weaknesses CWE-288
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Blinko Blinko
Blinkospace Blinko
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T14:08:24.272Z

Reserved: 2026-01-13T15:47:41.627Z

Link: CVE-2026-23480

cve-icon Vulnrichment

Updated: 2026-03-24T14:08:21.497Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T21:17:01.940

Modified: 2026-03-24T18:33:48.443

Link: CVE-2026-23480

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:40Z

Weaknesses