Cyber Resilience

CVE-2026-23480

Medium

Published: 23 March 2026

Published
23 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 26.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-23480 is a medium-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Blinko Blinko. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Not Applicable risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-23480 is a privilege escalation vulnerability (CWE-288) in Blinko, an AI-powered card note-taking project, affecting versions prior to 1.8.4. The issue resides in the upsertUser endpoint, which suffers from three key flaws: absence of superAdminAuthMiddleware, allowing any logged-in user to invoke it; an optional originalPassword parameter that skips password verification if not supplied; and lack of ownership verification via input.id === ctx.id check. These deficiencies enable unauthorized user data manipulation.

An attacker with any valid user account can exploit this remotely (AV:N) with low attack complexity (AC:L), no user interaction (UI:N), and low privileges (PR:L), earning a CVSS v3.1 base score of 8.8 (C:H/I:H/A:H). Successful exploitation allows modification of other users' passwords, direct privilege escalation to superadmin, and full account takeover, potentially compromising the entire user base.

The vulnerability was addressed in Blinko version 1.8.4. Mitigation details are available in the GitHub security advisory (GHSA-r3mv-q7ww-86p6), release notes (github.com/blinkospace/blinko/releases/tag/1.8.4), and the patching commit (github.com/blinkospace/blinko/commit/3afbdf486b6f371bdac5781dea6289749f2c4c03). Practitioners should upgrade immediately and audit similar endpoints for middleware, verification, and ownership controls.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and…

more

if not provided password verification is skipped; there is no check for input.id === ctx.id (ownership verification). This could result in any authenticated user modifying other users' passwords, direct escalation to superadmin, and complete account takeover. This issue has been patched in version 1.8.4.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Not Applicable
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Direct privilege escalation via missing auth/ownership checks on user management endpoint enables T1068; resulting unauthorized password/privilege changes map to T1098 Account Manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23882Same product: Blinko Blinko
CVE-2026-23482Same product: Blinko Blinko
CVE-2026-26117Shared CWE-288
CVE-2026-34040Shared CWE-288
CVE-2025-22230Shared CWE-288
CVE-2025-67998Shared CWE-288
CVE-2025-0674Shared CWE-288
CVE-2026-24206Shared CWE-288
CVE-2026-24359Shared CWE-288
CVE-2025-9967Shared CWE-288

Affected Assets

blinko
blinko
≤ 1.8.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires systems to enforce approved authorizations for access, directly addressing the missing superAdminAuthMiddleware and lack of ownership verification (input.id === ctx.id) in the upsertUser endpoint.

prevent

AC-6 enforces least privilege, preventing any authenticated user from escalating privileges to superadmin through unauthorized use of the upsertUser endpoint.

prevent

AC-2 requires approval and management processes for account modifications, mitigating unauthorized changes to other users' passwords and accounts via the upsertUser endpoint.

References