Description
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4.
Published: 2026-03-23
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows an attacker to execute arbitrary operating‑system commands on the BlinkO server through the MCP server creation function. By specifying arbitrary command strings and arguments, an attacker who can initiate a connection test can trigger the execution of those commands. The flaw maps to CWE‑78, which describes operating‑system command injection and results in a full remote code execution vector. The attacker could compromise confidentiality, integrity, and availability of the affected system, potentially gaining administrative control over the host.

Affected Systems

The affected product is blinkospace BlinkO. All releases prior to version 1.8.4 are vulnerable, as the bug was patched in 1.8.4. Users running any earlier build, such as 1.8.3 or earlier, are at risk.

Risk and Exploitability

The CVSS score is 8.6, indicating high severity. The EPSS score is below 1 %, which suggests a low probability that an exploit will appear in the wild, and the vulnerability is not listed in the CISA KEV catalog. However, the flaw can be leveraged remotely by anyone with administrative access to the BlinkO’s MCP interface. Attack requires authenticating as an administrator and invoking the server creation function, after which the specified command executes with the service’s privileges. Given the high impact and available easy path for exploitation, the vulnerability warrants immediate remediation.

Generated by OpenCVE AI on March 24, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BlinkO to version 1.8.4 or newer

Generated by OpenCVE AI on March 24, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Blinko
Blinko blinko
CPEs cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*
Vendors & Products Blinko
Blinko blinko
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Blinkospace
Blinkospace blinko
Vendors & Products Blinkospace
Blinkospace blinko

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4.
Title Blinko: Admin RCE - MCP Server Command Injection
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Blinko Blinko
Blinkospace Blinko
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T15:59:02.803Z

Reserved: 2026-01-16T21:02:02.901Z

Link: CVE-2026-23882

cve-icon Vulnrichment

Updated: 2026-03-24T15:58:52.407Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T21:17:05.640

Modified: 2026-03-24T18:03:12.353

Link: CVE-2026-23882

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:35Z

Weaknesses