PT-2026-25629 · Growi · Growi
Sho Odagiri
·
Publicado
2026-03-16
·
Atualizado
2026-03-16
·
CVE-2026-25083
CVSS v3.1
8.3
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
GROWI versions prior to 7.4.5
Description
The GROWI OpenAI thread/message API endpoints do not perform proper authorization checks. A logged-in user who has access to a shared AI assistant's identifier can potentially view and modify other users' threads and messages. The affected API endpoints allow unauthorized access to sensitive data and potential tampering with user communications.
Recommendations
Versions prior to 7.4.5 should be updated.
Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Growi