{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25083", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-03-12T05:25:12.212Z", "datePublished": "2026-03-16T06:47:38.734Z", "dateUpdated": "2026-03-16T14:59:21.243Z"}, "containers": {"cna": {"affected": [{"vendor": "GROWI, Inc.", "product": "GROWI", "versions": [{"version": "v7.4.5 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "GROWI OpenAI thread/message API endpoints do not perform authorization. Affected are v7.4.5 and earlier versions. A logged-in user who knows a shared AI assistant's identifier may view and/or tamper the other user's threads/messages."}], "problemTypes": [{"descriptions": [{"description": "Missing authorization", "lang": "en-US", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://jvn.jp/en/jp/JVN46373837/"}, {"url": "https://growi.co.jp/news/41/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "HIGH", "baseScore": 8.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-16T06:47:38.734Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T14:59:13.916958Z", "id": "CVE-2026-25083", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:59:21.243Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25083", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T14:59:13.916958Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:59:17.115Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 8.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "GROWI, Inc.", "product": "GROWI", "versions": [{"status": "affected", "version": "v7.4.5 and earlier"}]}], "references": [{"url": "https://jvn.jp/en/jp/JVN46373837/"}, {"url": "https://growi.co.jp/news/41/"}], "descriptions": [{"lang": "en", "value": "GROWI OpenAI thread/message API endpoints do not perform authorization. Affected are v7.4.5 and earlier versions. A logged-in user who knows a shared AI assistant's identifier may view and/or tamper the other user's threads/messages."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-862", "description": "Missing authorization"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-16T06:47:38.734Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25083", "state": "PUBLISHED", "dateUpdated": "2026-03-16T14:59:21.243Z", "dateReserved": "2026-03-12T05:25:12.212Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-03-16T06:47:38.734Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GROWI OpenAI thread/message API endpoints do not perform authorization. Affected are v7.4.5 and earlier versions. A logged-in user who knows a shared AI assistant's identifier may view and/or tamper the other user's threads/messages."}], "id": "CVE-2026-25083", "lastModified": "2026-03-16T14:53:07.390", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-03-16T14:18:18.177", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://growi.co.jp/news/41/"}, {"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN46373837/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.4.5]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "GROWI", "source": "cna", "vendor": "GROWI, Inc."}, "product": "growi", "vendor": "growi"}], "analysis": {"en": {"generated_at": "2026-03-17T12:08:01.734847+00:00", "value": {"mitigation_remediation": ["Check the vendor\u2019s website for updates or patches that address this issue.", "Limit the exposure of shared AI assistant identifiers and enforce stricter access controls if no update is immediately available."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Data Access/Tampering"}, "threat_synthesis": {"affected_systems": "The product impacted is GROWI from GROWI, Inc. The vulnerability affects all releases version 7.4.5 and earlier. No specific patch version is listed in the CVE data. No other products or versions are mentioned.", "description_and_impact": "GROWI OpenAI thread and message API endpoints lack proper authorization. A logged\u2011in user who knows the identifier of a shared AI assistant can view or tamper with other users\u2019 threads and messages. This flaw permits unauthorized disclosure and modification of user data, violating confidentiality and integrity, and corresponds to CWE\u2011862, Authorization Bypass Through User\u2011Managed Key.", "risk_and_exploitability": "The CVSS score is 8.7, indicating high severity. The EPSS is below 1%, implying that exploitation is unlikely in the wild, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires only that the attacker be an authenticated user with knowledge of a shared assistant ID; no elevated privileges or network access are required. The attack vector is through authenticated API access, and the impact includes potential data leakage and tampering."}}}}, "created": "2026-03-17T09:53:15.197212+00:00", "title": "Unauthorized Access to GROWI OpenAI Thread/Message APIs Exposes User Data", "updated": "2026-03-24T10:45:41.120844+00:00", "vendors": ["growi", "growi$PRODUCT$growi"]}