CVE-2026-23486
Information Disclosure in Blinko AI Note-Taking Endpoint Before
Publication date: 2026-03-23
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| blinko | blinko | to 1.8.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23486 is an information exposure vulnerability in the Blinko AI-powered card note-taking project affecting versions prior to 1.8.4. A publicly accessible API endpoint, `/api/v1/user/public-user-list`, exposed sensitive user information without requiring authentication.
This endpoint returned sensitive fields such as usernames, roles, account creation dates, and other private user details, allowing unauthorized users to access information that should have been protected.
The vulnerability was fixed by restricting the API output to only non-sensitive public information like user ID, nickname, image, and description, removing sensitive fields from the response and database queries.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive user information, including usernames, roles, and account creation dates.
Exposing roles can reveal privileged accounts such as superadmins, which could facilitate targeted attacks or user enumeration by malicious actors.
Such information disclosure increases the risk of social engineering, phishing, or other attacks aimed at compromising user accounts or the application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending an unauthenticated HTTP GET request to the public API endpoint `/api/v1/user/public-user-list` and inspecting the response for sensitive user information such as usernames, roles, and account creation dates.
A simple command to test this on a system or network is using curl:
- curl -X GET http://<target-host>/api/v1/user/public-user-list
If the response contains sensitive fields like `name`, `role`, `createdAt`, or other user details beyond `id`, `nickname`, `image`, and `description`, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Blinko application to version 1.8.4 or later, where the vulnerability has been patched.
The patch restricts the `/v1/user/public-user-list` endpoint to only return non-sensitive public information fields: `id`, `nickname`, `image`, and `description`.
If upgrading immediately is not possible, consider restricting access to the vulnerable endpoint by implementing authentication or network-level controls to prevent unauthorized access.