Skip to main content

GROWI CVE-2026-25083

| EUVDEUVD-2026-12343 HIGH
Missing Authorization (CWE-862)
2026-03-16 jpcert
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 19, 2026 - 15:43 vuln.today
v1 (cvss_changed)
Re-analysis Queued
May 19, 2026 - 15:37 vuln.today
cvss_changed
CVSS changed
May 19, 2026 - 15:37 NVD
8.3 (HIGH) 8.7 (HIGH)
EUVD ID Assigned
Mar 16, 2026 - 09:00 euvd
EUVD-2026-12343
Analysis Generated
Mar 16, 2026 - 09:00 vuln.today
CVE Published
Mar 16, 2026 - 06:47 nvd
HIGH 8.3

DescriptionCVE.org

GROWI OpenAI thread/message API endpoints do not perform authorization. Affected are v7.4.5 and earlier versions. A logged-in user who knows a shared AI assistant's identifier may view and/or tamper the other user's threads/messages.

AnalysisAI

Cross-user data exposure and tampering in GROWI v7.4.5 and earlier allows any authenticated user who learns a shared AI assistant's identifier to read or modify other users' OpenAI thread and message contents via API endpoints that omit authorization checks. The flaw stems from missing access control (CWE-862) on the AI assistant interaction layer rather than a memory-corruption or injection bug. No public exploit identified at time of analysis, and EPSS rates near-term exploitation probability at 0.04% (12th percentile).

Technical ContextAI

GROWI is an open-source enterprise wiki/collaboration platform developed by WESEEK (growi.co.jp) that integrates an OpenAI-backed AI assistant feature, mirroring the OpenAI Assistants API concept of persistent threads (conversation containers) and messages (individual turns). The vulnerability is a textbook CWE-862 Missing Authorization: the REST endpoints that read and mutate threads/messages authenticate the caller's session but never verify that the caller is the owner of the targeted thread/message resource, so any logged-in account can act on another user's thread by supplying the corresponding shared-assistant identifier. The CPE cpe:2.3:a:growi,_inc.:growi:*:*:*:*:*:*:*:* indicates all version branches up through 7.4.5 are in scope.

RemediationAI

No vendor-released patch version is cited in the provided intelligence, but the vendor has published an advisory at https://growi.co.jp/news/41/ and JPCERT's coordinated disclosure at https://jvn.jp/en/jp/JVN46373837/ - administrators should consult those advisories for the fixed release (expected to be the next version after 7.4.5) and upgrade as soon as it is available. Until a fixed build is deployed, compensating controls include disabling the OpenAI assistant integration in GROWI configuration to remove the vulnerable endpoints from the attack surface (trade-off: loss of AI assistant functionality for all users), restricting access to the GROWI instance to a trusted user pool via SSO/IdP group gating (trade-off: does not stop malicious insiders), and treating shared AI assistant identifiers as sensitive - rotate them and audit logs for unexpected thread/message reads or edits. Generic network filtering will not help because the attack uses authenticated application-layer requests.

More in Growi

View all
CVE-2021-20736 CRITICAL
9.1 Jun 22

NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the inf

CVE-2019-5968 HIGH
8.8 Jul 05

Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authen

CVE-2026-41040 HIGH
8.7 Apr 23

Remote denial of service via regular expression attack in GROWI allows unauthenticated network attackers to exhaust serv

CVE-2026-41951 HIGH
8.6 May 11

Remote path traversal in GROWI v7.5.0 and earlier allows authenticated administrators to execute arbitrary EJS templates

CVE-2021-20670 HIGH
7.5 Mar 10

Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to r

CVE-2020-5683 HIGH
7.5 Dec 16

Directory traversal vulnerability in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1

CVE-2020-5682 HIGH
7.5 Dec 16

Improper input validation in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series)

CVE-2020-5676 HIGH
7.5 Dec 03

GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vec

CVE-2019-13338 HIGH
7.5 Jul 09

In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki

CVE-2019-13337 HIGH
7.5 Jul 09

In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token

CVE-2021-20671 HIGH
7.2 Mar 10

Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative priv

CVE-2023-50332 MEDIUM
6.5 Dec 26

Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6

Share

CVE-2026-25083 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy