Description
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publicly accessible endpoint exposes all user information, including usernames, roles, and account creation dates. This issue has been patched in version 1.8.4.
Published: 2026-03-23
Score: 6.9 Medium
EPSS: 3.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A public API endpoint in Blinko released information about every user, including usernames, roles and account creation dates. The disclosure represents a breach of confidentiality as it allows any visitor to gather user identities and privilege levels. The weakness matches CWE‑200, Unauthorized Access to Sensitive Information, and could enable attackers to build targeted social‑engineering or credential‑guessing campaigns.

Affected Systems

The issue affects the Blinkospace Blinko application in all releases prior to 1.8.4. Users running the open‑source AI‑powered card note‑taking project are subject to the leak until the patch is applied. The patch was released in version 1.8.4, which removes the unauthenticated endpoint.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability. With an EPSS of 2 % the probability of exploitation is considered low and it is not currently listed in the CISA KEV catalog. Attackers can reach the vulnerable endpoint remotely via a simple HTTP GET request; no authentication or special privileges are required. Consequently, the vulnerability is exploitable by anyone with network access to the Blinko instance. While the impact is limited to information disclosure, the exposure of role data may assist further attacks.

Generated by OpenCVE AI on April 29, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Blinko to version 1.8.4 or later to remove the unauthenticated endpoint.
  • Implement authentication and proper authorization checks on any future endpoints.
  • Monitor logs for unexpected or repeated access to the previous endpoint.
  • Review and harden configuration to prevent accidental exposure of similar APIs.

Generated by OpenCVE AI on April 29, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Blinko
Blinko blinko
CPEs cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*
Vendors & Products Blinko
Blinko blinko
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Blinkospace
Blinkospace blinko
Vendors & Products Blinkospace
Blinkospace blinko

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publicly accessible endpoint exposes all user information, including usernames, roles, and account creation dates. This issue has been patched in version 1.8.4.
Title Blinko: Unauthorized User Information Leak
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Blinko Blinko
Blinkospace Blinko
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T14:07:26.774Z

Reserved: 2026-01-13T15:47:41.628Z

Link: CVE-2026-23486

cve-icon Vulnrichment

Updated: 2026-03-24T14:07:21.040Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T21:17:02.980

Modified: 2026-03-24T18:04:52.320

Link: CVE-2026-23486

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:45:20Z

Weaknesses