PT-2026-25629 · Growi · Growi
Sho Odagiri
·
Published
2026-03-16
·
Updated
2026-03-16
·
CVE-2026-25083
CVSS v3.1
8.3
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
GROWI versions prior to 7.4.5
Description
The GROWI OpenAI thread/message API endpoints do not perform proper authorization checks. A logged-in user who has access to a shared AI assistant's identifier can potentially view and modify other users' threads and messages. The affected API endpoints allow unauthorized access to sensitive data and potential tampering with user communications.
Recommendations
Versions prior to 7.4.5 should be updated.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Growi