{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23488", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-13T15:47:41.628Z", "datePublished": "2026-03-23T20:48:55.325Z", "dateUpdated": "2026-03-24T13:48:42.544Z"}, "containers": {"cna": {"title": "Blinko: multiple interfaces in the comment feature allow unauthorized access", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/blinkospace/blinko/security/advisories/GHSA-84hm-vw62-472m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-84hm-vw62-472m"}, {"name": "https://github.com/blinkospace/blinko/pull/1089", "tags": ["x_refsource_MISC"], "url": "https://github.com/blinkospace/blinko/pull/1089"}, {"name": "https://github.com/blinkospace/blinko/commit/4623dd02bdeed768ffa6fea4cc2f8644cbb08c5e", "tags": ["x_refsource_MISC"], "url": "https://github.com/blinkospace/blinko/commit/4623dd02bdeed768ffa6fea4cc2f8644cbb08c5e"}, {"name": "https://github.com/blinkospace/blinko/releases/tag/1.8.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4"}], "affected": [{"vendor": "blinkospace", "product": "blinko", "versions": [{"version": "< 1.8.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T20:48:55.325Z"}, "descriptions": [{"lang": "en", "value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note (including private notes) without authorization, even if the note has not been publicly shared. The /api/v1/comment/list endpoint has the same issue, allowing unauthorized viewing of comments on all notes. This issue has been patched in version 1.8.4."}], "source": {"advisory": "GHSA-84hm-vw62-472m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:47:27.294337Z", "id": "CVE-2026-23488", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:48:42.544Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23488", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T13:47:27.294337Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:48:09.361Z"}}], "cna": {"title": "Blinko: multiple interfaces in the comment feature allow unauthorized access", "source": {"advisory": "GHSA-84hm-vw62-472m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "blinkospace", "product": "blinko", "versions": [{"status": "affected", "version": "< 1.8.4"}]}], "references": [{"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-84hm-vw62-472m", "name": "https://github.com/blinkospace/blinko/security/advisories/GHSA-84hm-vw62-472m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/blinkospace/blinko/pull/1089", "name": "https://github.com/blinkospace/blinko/pull/1089", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/blinkospace/blinko/commit/4623dd02bdeed768ffa6fea4cc2f8644cbb08c5e", "name": "https://github.com/blinkospace/blinko/commit/4623dd02bdeed768ffa6fea4cc2f8644cbb08c5e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4", "name": "https://github.com/blinkospace/blinko/releases/tag/1.8.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note (including private notes) without authorization, even if the note has not been publicly shared. The /api/v1/comment/list endpoint has the same issue, allowing unauthorized viewing of comments on all notes. This issue has been patched in version 1.8.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T20:48:55.325Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23488", "state": "PUBLISHED", "dateUpdated": "2026-03-24T13:48:42.544Z", "dateReserved": "2026-01-13T15:47:41.628Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T20:48:55.325Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*", "matchCriteriaId": "31941A3D-C688-40DF-AA55-1AF9056275D0", "versionEndExcluding": "1.8.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note (including private notes) without authorization, even if the note has not been publicly shared. The /api/v1/comment/list endpoint has the same issue, allowing unauthorized viewing of comments on all notes. This issue has been patched in version 1.8.4."}, {"lang": "es", "value": "Blinko es un proyecto de toma de notas en tarjetas impulsado por IA. Antes de la versi\u00f3n 1.8.4, el endpoint /api/v1/comment/create tiene una vulnerabilidad de acceso no autorizado, permitiendo a los atacantes publicar comentarios en cualquier nota (incluidas las notas privadas) sin autorizaci\u00f3n, incluso si la nota no ha sido compartida p\u00fablicamente. El endpoint /api/v1/comment/list tiene el mismo problema, permitiendo la visualizaci\u00f3n no autorizada de comentarios en todas las notas. Este problema ha sido parcheado en la versi\u00f3n 1.8.4."}], "id": "CVE-2026-23488", "lastModified": "2026-03-24T18:03:46.747", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T21:17:03.277", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/blinkospace/blinko/commit/4623dd02bdeed768ffa6fea4cc2f8644cbb08c5e"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/blinkospace/blinko/pull/1089"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-84hm-vw62-472m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "blinko", "source": "cna", "vendor": "blinkospace"}, "product": "blinko", "vendor": "blinkospace"}], "analysis": {"en": {"generated_at": "2026-03-24T19:26:35.224667+00:00", "value": {"mitigation_remediation": ["Deploy Blinko version 1.8.4 or later to eliminate the access control flaw.", "Verify that the deployed server has updated API endpoints without the unauthorized access vulnerability.", "Monitor API usage logs for any suspicious comment activity after patching."], "summary": {"action": "Patch", "impact": "Unauthorized use of comment APIs for both reading and writing on private notes"}, "threat_synthesis": {"affected_systems": "Blinkospace Blinko, versions prior to 1.8.4. The application\u2019s AI\u2011powered card note\u2011taking features are affected.", "description_and_impact": "The vulnerability resides in two API endpoints that lack proper access controls. An attacker can submit comments to any note or retrieve all comments, even when the notes are marked private. This grants the attacker ability to read and add content to notes that were intended to remain confidential, leading to information disclosure and potential integrity compromise.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate severity. EPSS shows less than 1% likelihood of active exploitation, and it is not present in the CISA KEV list. The flaw can be leveraged remotely by any user who can reach the API endpoints; no prior authentication is required, so the attack surface is wide."}}}}, "created": "2026-03-24T10:32:48.544265+00:00", "updated": "2026-03-25T20:36:37.438424+00:00", "vendors": ["blinkospace", "blinkospace$PRODUCT$blinko"]}