Auth bypass in Blinkospace Blinko

CVE-2026-23488

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note (including private notes) without autho…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (3.3th percentile) — read the EPSS interpretation.

Affected products

Blinkospace Blinko — versions < 1.8.4

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/blinkospace/blinko/security/advisories/GHSA-84hm-vw62-472m (x_refsource_CONFIRM)
https://github.com/blinkospace/blinko/pull/1089 (x_refsource_MISC)
https://github.com/blinkospace/blinko/commit/4623dd02bdeed768ffa6fea4cc2f8644cbb08c5e (x_refsource_MISC)
https://github.com/blinkospace/blinko/releases/tag/1.8.4 (x_refsource_MISC)