CVE-2026-25083
Deferred Deferred - Pending Action
Authorization Bypass in GROWI OpenAI API Allows Data Tampering

Publication date: 2026-03-16

Last updated on: 2026-05-19

Assigner: JPCERT/CC

Description
GROWI OpenAI thread/message API endpoints do not perform authorization. Affected are v7.4.5 and earlier versions. A logged-in user who knows a shared AI assistant's identifier may view and/or tamper the other user's threads/messages.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25083
EUVD
EUVD-2026-12343
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
growi growi to 7.4.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25083 is a missing authorization vulnerability found in the OpenAI thread/message API endpoints of GROWI versions 7.4.5 and earlier.'}, {'type': 'paragraph', 'content': "This vulnerability allows a logged-in user who knows a shared AI assistant's identifier to view and potentially tamper with other users' threads and messages without proper authorization."}, {'type': 'paragraph', 'content': 'The issue can be exploited remotely without user interaction but requires some level of privileges.'}] [1, 2]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to unauthorized access and manipulation of other users' AI assistant threads and messages."}, {'type': 'paragraph', 'content': 'Such unauthorized access compromises confidentiality, integrity, and availability of user data within the GROWI system.'}, {'type': 'paragraph', 'content': 'Attackers with some privileges can remotely exploit this vulnerability to view sensitive information or alter messages, potentially causing data breaches or disruption.'}] [1, 2]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate the vulnerability in GROWI versions 7.4.5 and earlier, users should update GROWI to version 7.4.6 or later, where the issue has been fixed.'}, {'type': 'paragraph', 'content': "This update addresses the missing authorization vulnerability in the OpenAI thread/message API endpoints that allows logged-in users to view or tamper with other users' threads and messages."}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25083. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart