Cyber Resilience

CVE-2026-23882

HighRCE

Published: 23 March 2026

Published
23 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 28.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23882 is a high-severity OS Command Injection (CWE-78) vulnerability in Blinko Blinko. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23882 is a command injection vulnerability (CWE-78) in Blinko, an AI-powered card note-taking project. In versions prior to 1.8.4, the MCP (Model Context Protocol) server creation function allows users to specify arbitrary commands and arguments, which are executed when testing the connection. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Attackers with high privileges (PR:H), such as authenticated users with elevated access, can exploit this over the network with low complexity and no user interaction required. Successful exploitation enables arbitrary command execution on the target system, resulting in high impacts to confidentiality, integrity, and availability.

The issue has been patched in Blinko version 1.8.4. Mitigation involves updating to this version or later. Details are provided in the GitHub security advisory (GHSA-59r2-82p8-c56v), release notes for v1.8.4, and the patching commit (bef6b770743e87c630db2d00d7049dabd96bfe85).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, mcp, model context protocol

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Command injection (CWE-78) in server function enables network-based arbitrary command execution as high-priv user, directly facilitating T1190 (public-facing app exploitation) and T1059 (command/script interpreter abuse).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23482Same product: Blinko Blinko
CVE-2026-23480Same product: Blinko Blinko
CVE-2026-5058Shared CWE-78
CVE-2026-30635Shared CWE-78
CVE-2026-34935Shared CWE-78
CVE-2026-6942Shared CWE-78
CVE-2026-28470Shared CWE-78
CVE-2025-69269Shared CWE-78
CVE-2025-24971Shared CWE-78
CVE-2026-22553Shared CWE-78

Affected Assets

blinko
blinko
≤ 1.8.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs to the MCP server creation function, directly preventing arbitrary command injection by rejecting malicious commands and arguments.

prevent

SI-2 ensures timely identification, reporting, and correction of flaws like this command injection vulnerability through patching to Blinko v1.8.4.

prevent

AC-6 enforces least privilege, limiting the high-privilege (PR:H) access needed to exploit the MCP server creation function for command injection.

References