Description
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4.
Published: 2026-03-23
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an IDOR in the user.detail endpoint of Blinko. An attacker who can reference another user’s identifier can obtain the superadmin token that grants full administrative authority over the application. With this token, the attacker could perform any privileged operation, such as modifying data, creating or deleting users, or managing system settings.

Affected Systems

Blinko, an AI‑powered card note‑taking platform developed by BlinkoSpace, is affected. Any deployment running an installation of version 1.8.3 or earlier is vulnerable. The fix was released in version 1.8.4 and later versions are not impacted.

Risk and Exploitability

The CVSS score of 6.0 indicates a moderate severity. The EPSS score of less than 1% suggests that widespread exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could exploit the flaw remotely by making an unauthenticated or insufficiently authenticated HTTP request to the user.detail API with a target user’s identifier, allowing the extraction of the superadmin token.

Generated by OpenCVE AI on March 24, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading Blinko to version 1.8.4 or later.
  • If an upgrade cannot be performed immediately, restrict external access to the user.detail endpoint or enforce stricter authentication checks to prevent IDOR.

Generated by OpenCVE AI on March 24, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Blinko
Blinko blinko
CPEs cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*
Vendors & Products Blinko
Blinko blinko
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Blinkospace
Blinkospace blinko
Vendors & Products Blinkospace
Blinkospace blinko

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4.
Title Blinko: IDOR - user.detail Endpoint Leaks Superadmin Token
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Blinko Blinko
Blinkospace Blinko
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:46:32.047Z

Reserved: 2026-01-13T15:47:41.628Z

Link: CVE-2026-23487

cve-icon Vulnrichment

Updated: 2026-03-24T18:46:29.361Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T21:17:03.127

Modified: 2026-03-24T18:04:33.710

Link: CVE-2026-23487

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:38Z

Weaknesses