Description
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note (including private notes) without authorization, even if the note has not been publicly shared. The /api/v1/comment/list endpoint has the same issue, allowing unauthorized viewing of comments on all notes. This issue has been patched in version 1.8.4.
Published: 2026-03-23
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized use of comment APIs for both reading and writing on private notes
Action: Patch
AI Analysis

Impact

The vulnerability resides in two API endpoints that lack proper access controls. An attacker can submit comments to any note or retrieve all comments, even when the notes are marked private. This grants the attacker ability to read and add content to notes that were intended to remain confidential, leading to information disclosure and potential integrity compromise.

Affected Systems

Blinkospace Blinko, versions prior to 1.8.4. The application’s AI‑powered card note‑taking features are affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. EPSS shows less than 1% likelihood of active exploitation, and it is not present in the CISA KEV list. The flaw can be leveraged remotely by any user who can reach the API endpoints; no prior authentication is required, so the attack surface is wide.

Generated by OpenCVE AI on March 24, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy Blinko version 1.8.4 or later to eliminate the access control flaw.
  • Verify that the deployed server has updated API endpoints without the unauthorized access vulnerability.
  • Monitor API usage logs for any suspicious comment activity after patching.

Generated by OpenCVE AI on March 24, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Blinko
Blinko blinko
CPEs cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*
Vendors & Products Blinko
Blinko blinko
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Blinkospace
Blinkospace blinko
Vendors & Products Blinkospace
Blinkospace blinko

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note (including private notes) without authorization, even if the note has not been publicly shared. The /api/v1/comment/list endpoint has the same issue, allowing unauthorized viewing of comments on all notes. This issue has been patched in version 1.8.4.
Title Blinko: multiple interfaces in the comment feature allow unauthorized access
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Blinko Blinko
Blinkospace Blinko
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T13:48:42.544Z

Reserved: 2026-01-13T15:47:41.628Z

Link: CVE-2026-23488

cve-icon Vulnrichment

Updated: 2026-03-24T13:48:09.361Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T21:17:03.277

Modified: 2026-03-24T18:03:46.747

Link: CVE-2026-23488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:37Z

Weaknesses