CVE-2026-23486
Received Received - Intake
Information Disclosure in Blinko AI Note-Taking Endpoint Before

Publication date: 2026-03-23

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publicly accessible endpoint exposes all user information, including usernames, roles, and account creation dates. This issue has been patched in version 1.8.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23486
EUVD
EUVD-2026-14541
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
blinko blinko to 1.8.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23486 is an information exposure vulnerability in the Blinko AI-powered card note-taking project affecting versions prior to 1.8.4. A publicly accessible API endpoint, `/api/v1/user/public-user-list`, exposed sensitive user information without requiring authentication.

This endpoint returned sensitive fields such as usernames, roles, account creation dates, and other private user details, allowing unauthorized users to access information that should have been protected.

The vulnerability was fixed by restricting the API output to only non-sensitive public information like user ID, nickname, image, and description, removing sensitive fields from the response and database queries.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive user information, including usernames, roles, and account creation dates.

Exposing roles can reveal privileged accounts such as superadmins, which could facilitate targeted attacks or user enumeration by malicious actors.

Such information disclosure increases the risk of social engineering, phishing, or other attacks aimed at compromising user accounts or the application.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by sending an unauthenticated HTTP GET request to the public API endpoint `/api/v1/user/public-user-list` and inspecting the response for sensitive user information such as usernames, roles, and account creation dates.

A simple command to test this on a system or network is using curl:

  • curl -X GET http://<target-host>/api/v1/user/public-user-list

If the response contains sensitive fields like `name`, `role`, `createdAt`, or other user details beyond `id`, `nickname`, `image`, and `description`, the system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade the Blinko application to version 1.8.4 or later, where the vulnerability has been patched.

The patch restricts the `/v1/user/public-user-list` endpoint to only return non-sensitive public information fields: `id`, `nickname`, `image`, and `description`.

If upgrading immediately is not possible, consider restricting access to the vulnerable endpoint by implementing authentication or network-level controls to prevent unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23486. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart