What is the CVSS score of CVE-2026-23487?

CVE-2026-23487 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Blinko are affected by CVE-2026-23487?

Organizations using Token. This issue has been patched in should be aware of notable risk from CVE-2026-23487, a IDOR vulnerability rated CVSS 6.5.. A patch is available.

How to fix or mitigate CVE-2026-23487?

Within 30 days: Identify affected systems running Token. This issue has been patched in and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Blinko CVE-2026-23487

EUVD-2026-14543 MEDIUM

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-03-23 GitHub_M

Authentication Bypass Blinko

6.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

1.8.4

EUVD ID Assigned

Mar 23, 2026 - 21:00 euvd

EUVD-2026-14543

Analysis Generated

Mar 23, 2026 - 21:00 vuln.today

CVE Published

Mar 23, 2026 - 20:45 nvd

MEDIUM 6.5

DescriptionGitHub Advisory

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4.

AnalysisAI

An Insecure Direct Object Reference (IDOR) vulnerability in Blinko versions prior to 1.8.4 allows authenticated attackers to leak the superadmin token through the user.detail endpoint by manipulating user identifiers. This authentication bypass vulnerability has a CVSS score of 6.0 and affects the Blinko AI-powered note-taking application. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	While the CVSS score of 6.0 reflects medium severity, the real-world risk is elevated due to several compounding factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with valid Blinko user credentials could systematically iterate through user identifiers in requests to the user.detail endpoint (e.g., /api/user.detail?id=1, /api/user.detail?id=2, etc.) and extract superadmin tokens from responses. Due to the High attack complexity, the attacker may need to identify the correct user ID format or discovery mechanism, but once successful, the leaked superadmin token provides complete administrative access to the entire Blinko instance, enabling data exfiltration, user account manipulation, and malicious configuration changes. …
Remediation	Immediately upgrade Blinko to version 1.8.4 or later, which patches the IDOR vulnerability in the user.detail endpoint. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems running Token. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-23487 vulnerability details – vuln.today

Back

Blinko CVE-2026-23487

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code