Description
GROWI OpenAI thread/message API endpoints do not perform authorization. Affected are v7.4.5 and earlier versions. A logged-in user who knows a shared AI assistant's identifier may view and/or tamper the other user's threads/messages.
Published: 2026-03-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access/Tampering
Action: Apply Patch
AI Analysis

Impact

GROWI OpenAI thread and message API endpoints lack proper authorization. A logged‑in user who knows the identifier of a shared AI assistant can view or tamper with other users’ threads and messages. This flaw permits unauthorized disclosure and modification of user data, violating confidentiality and integrity, and corresponds to CWE‑862, Authorization Bypass Through User‑Managed Key.

Affected Systems

The product impacted is GROWI from GROWI, Inc. The vulnerability affects all releases version 7.4.5 and earlier. No specific patch version is listed in the CVE data. No other products or versions are mentioned.

Risk and Exploitability

The CVSS score is 8.7, indicating high severity. The EPSS is below 1%, implying that exploitation is unlikely in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires only that the attacker be an authenticated user with knowledge of a shared assistant ID; no elevated privileges or network access are required. The attack vector is through authenticated API access, and the impact includes potential data leakage and tampering.

Generated by OpenCVE AI on March 17, 2026 at 12:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website for updates or patches that address this issue.
  • Limit the exposure of shared AI assistant identifiers and enforce stricter access controls if no update is immediately available.

Generated by OpenCVE AI on March 17, 2026 at 12:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Unauthorized Access to GROWI OpenAI Thread/Message APIs Exposes User Data

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Growi
Growi growi
Vendors & Products Growi
Growi growi

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description GROWI OpenAI thread/message API endpoints do not perform authorization. Affected are v7.4.5 and earlier versions. A logged-in user who knows a shared AI assistant's identifier may view and/or tamper the other user's threads/messages.
Weaknesses CWE-862
References
Metrics cvssV3_0

{'score': 8.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Growi Growi
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-03-16T14:59:21.243Z

Reserved: 2026-03-12T05:25:12.212Z

Link: CVE-2026-25083

cve-icon Vulnrichment

Updated: 2026-03-16T14:59:17.115Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:18:18.177

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-25083

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:45:41Z

Weaknesses