CVE-2026-44224

Name of the Vulnerable Software and Affected Versions Wiki.js versions prior to 2.5.313

Description The users.update GraphQL mutation allows the application of an arbitrary groups array directly to the database without validating the supplied group IDs. The resolver passes arguments to the model without ownership checks or restrictions on group assignments. A user with manage:users permissions, typically assigned to moderators, can assign themselves to the Administrators group by setting groups:[1]. Upon re-authentication, the resulting JSON Web Token (JWT)—a compact, URL-safe means of representing claims to be transferred between two parties—carries manage:system permissions, granting full site administrator access.

Recommendations Update to version 2.5.313.