CVE-2026-23482
Published: 23 March 2026
Summary
CVE-2026-23482 is a high-severity Path Traversal (CWE-22) vulnerability in Blinko Blinko. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Blinko, an AI-powered card note-taking application, is affected by a path traversal vulnerability (CWE-22) in its file server endpoint prior to version 1.8.4. The endpoint fails to enforce permission checks on the temp/ directory and does not sanitize path traversal sequences, enabling unauthenticated access to arbitrary server files.
An attacker with network access can exploit this flaw to read any file on the filesystem. When scheduled backup tasks are enabled, this includes backup archives that contain all user notes and authentication tokens, resulting in full account compromise without requiring credentials or user interaction.
The project has released version 1.8.4 to address the issue, with the fix documented in commit c48851090767feba431418630c495d90a7da1781 and the corresponding GitHub security advisory GHSA-hrwx-rhrx-f9mm. Administrators should upgrade immediately and verify that backup files are stored outside the web-accessible temp/ path.
The EPSS score for this CVE rose from a lower baseline to a peak of 0.2046 (current value 0.1671), indicating that exploitation interest increased after public disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14533
Vulnerability details
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the…
more
server. When scheduled backup tasks are enabled, attackers can read backup files to obtain all user notes and user TOKENS. This issue has been patched in version 1.8.4.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing file server endpoint directly enables remote exploitation (T1190) for unauthorized local file reads (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to the temp/ path and other files, directly addressing the lack of permission checks in the file server endpoint.
Requires validation of inputs to the file server endpoint to filter path traversal sequences like '../', preventing unauthorized arbitrary file reads.
Limits privileges of the file server process to the minimum necessary, reducing the impact of successful path traversal by restricting access to sensitive files like backups.