Auth bypass in Blinkospace Blinko

CVE-2026-23487

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4.

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (13.1th percentile) — read the EPSS interpretation.

Affected products

Blinkospace Blinko — versions < 1.8.4

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/blinkospace/blinko/security/advisories/GHSA-4ffv-78qx-9p66 (x_refsource_CONFIRM)
https://github.com/blinkospace/blinko/commit/bef6b770743e87c630db2d00d7049dabd96bfe85 (x_refsource_MISC)
https://github.com/blinkospace/blinko/releases/tag/1.8.4 (x_refsource_MISC)