Description
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks are enabled, attackers can read backup files to obtain all user notes and user TOKENS. This issue has been patched in version 1.8.4.
Published: 2026-03-23
Score: 8.2 High
EPSS: 20.5% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises in Blinko's /api/file/temp endpoint, which lacks permission checks and path‑traversal sanitization. This permits attackers to read any file under the temp/ directory, including backup files that contain all user notes and authentication tokens. The resulting data disclosure exposes sensitive user information and credentials, representing a significant confidentiality breach. The weakness is classified as a path‑traversal issue (CWE‑22).

Affected Systems

The vulnerability is present in the blinkospace blinko product versions prior to 1.8.4. All releases before 1.8.4 expose the unsecured endpoint and are susceptible. The patch was delivered in version 1.8.4.

Risk and Exploitability

With a CVSS score of 8.2, the severity is high, yet the EPSS score indicates a 20% chance of current exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw remotely by issuing a crafted HTTP request to /api/file/temp; authentication is not required for the traversal to succeed. Therefore the risk is largely theoretical until affected deployments are updated.

Generated by OpenCVE AI on May 2, 2026 at 08:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Blinko to version 1.8.4 or later.
  • Disable scheduled backup tasks to prevent unauthorized file reads.
  • Restrict access to the /api/file/temp endpoint by network segmentation or firewall rules.

Generated by OpenCVE AI on May 2, 2026 at 08:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Blinko
Blinko blinko
CPEs cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*
Vendors & Products Blinko
Blinko blinko
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Blinkospace
Blinkospace blinko
Vendors & Products Blinkospace
Blinkospace blinko

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks are enabled, attackers can read backup files to obtain all user notes and user TOKENS. This issue has been patched in version 1.8.4.
Title Blinko: Unauthorized Arbitrary File Read - /api/file/temp
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Blinko Blinko
Blinkospace Blinko
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T13:51:48.530Z

Reserved: 2026-01-13T15:47:41.627Z

Link: CVE-2026-23482

cve-icon Vulnrichment

Updated: 2026-03-24T13:51:41.463Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T21:17:02.293

Modified: 2026-03-24T18:49:38.363

Link: CVE-2026-23482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:30:26Z

Weaknesses