Vulnerability in Blinkospace Blinko

CVE-2026-23480

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the orig…

EPSS: 0.000 (6.2th percentile) — read the EPSS interpretation.

Affected products

Blinkospace Blinko — versions < 1.8.4

Weakness classification (CWE)

CWE-288 — Authentication Bypass Using an Alternate Path or Channel

References

https://github.com/blinkospace/blinko/security/advisories/GHSA-r3mv-q7ww-86p6 (x_refsource_CONFIRM)
https://github.com/blinkospace/blinko/commit/3afbdf486b6f371bdac5781dea6289749f2c4c03 (x_refsource_MISC)
https://github.com/blinkospace/blinko/releases/tag/1.8.4 (x_refsource_MISC)