CVE-2026-23480

Name of the Vulnerable Software and Affected Versions Blinko versions prior to 1.8.4

Description Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a privilege escalation issue exists. The upsertUser API endpoint is missing superAdminAuthMiddleware, allowing any logged-in user to call it. The originalPassword parameter is optional, and if not provided, password verification is skipped. Additionally, there is no ownership verification performed, specifically checking if input.id equals ctx.id. This could allow any authenticated user to modify other users' passwords, escalate privileges to superadmin, and potentially take complete account control.

Recommendations Update to version 1.8.4 or later.