Description
Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without any ownership check or restriction on which groups can be assigned. A user with manage:users — a permission typically delegated to wiki moderators for account management — can set groups:[1] on their own account to self-assign to the Administrators group. After re-authentication, the fresh JWT carries manage:system, granting full site administrator access in a single mutation call. This vulnerability is fixed in 2.5.313.
Published: 2026-05-12
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Wiki.js GraphQL mutation users.update in versions prior to 2.5.313 accepts an arbitrary list of group identifiers and applies them to a user account without validating the group IDs or the caller’s ownership. A user who holds the manage:users permission—typically a moderator—can assign themselves the Administrators group by submitting groups:[1]. Once re‑authenticated, the resulting JSON Web Token contains manage:system, granting unrestricted administrative control over the entire wiki site in a single mutation.

Affected Systems

Requarks Wiki.js releases 2.5.312 and earlier are susceptible. The issue was resolved in version 2.5.313, which added validation to the users.update mutation.

Risk and Exploitability

With a CVSS score of 8.6, the vulnerability poses high severity. No EPSS score is available and the flaw is not yet listed in the CISA KEV catalog, suggesting it may not be widely exploited at present. However, a legitimate moderator can trigger the escalation by invoking the mutation, so threat exposure exists internally once manage:users has been granted. The absence of group ID checks means any user with moderate rights can elevate to site administrator if they are able to submit the mutation. The damage from exploitation would be comprehensive loss of confidentiality, integrity, and availability across the wiki environment.

Generated by OpenCVE AI on May 12, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Requarks Wiki.js to version 2.5.313 or later
  • Limit the manage:users permission to only trusted moderator accounts
  • Implement manual monitoring of group assignment changes in the database or logs

Generated by OpenCVE AI on May 12, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without any ownership check or restriction on which groups can be assigned. A user with manage:users — a permission typically delegated to wiki moderators for account management — can set groups:[1] on their own account to self-assign to the Administrators group. After re-authentication, the fresh JWT carries manage:system, granting full site administrator access in a single mutation call. This vulnerability is fixed in 2.5.313.
Title Wiki.js: Privilege Escalation via Missing Group Validation in users.update
Weaknesses CWE-269
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T20:33:53.046Z

Reserved: 2026-05-05T15:42:40.518Z

Link: CVE-2026-44224

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T21:16:16.137

Modified: 2026-05-12T21:16:16.137

Link: CVE-2026-44224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:45:15Z

Weaknesses