Skip to main content

Shiori CVE-2026-61463

HIGH
Improper Privilege Management (CWE-269)
2026-07-13 VulnCheck
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network endpoint with low complexity requires only an existing low-privilege account (PR:L) and no interaction; escalation to admin grants full confidentiality, integrity and availability, scope unchanged within the app.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 13, 2026 - 19:26 vuln.today
Analysis Generated
Jul 13, 2026 - 19:26 vuln.today
CVE Published
Jul 13, 2026 - 17:22 cve.org
HIGH 8.7

DescriptionCVE.org

Shiori contains a privilege escalation vulnerability in the account update endpoint that allows authenticated users to modify the owner field without authorization checks. Attackers can escalate to administrator by submitting a crafted PATCH request with owner: true, then re-authenticate to obtain an admin JWT token granting full system access.

AnalysisAI

Vertical privilege escalation in Shiori (go-shiori), the self-hosted Go bookmark manager, lets any authenticated low-privilege user promote themselves to administrator. By sending a crafted PATCH request to the /api/v1/auth/account update endpoint with owner: true - a field that lacked an authorization check - the user flips their own owner flag, then re-authenticates to receive an admin JWT granting full system access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Shiori account
Delivery
Send PATCH /api/v1/auth/account with owner:true
Exploit
Owner flag persisted without authz check
Execution
Re-authenticate to mint admin JWT
Impact
Full administrative system access

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated Shiori account of any privilege level (PR:L) and network reachability to the API; the attacker sends a PATCH request to the /api/v1/auth/account update endpoint including the owner field set to true, then re-authenticates to obtain the elevated JWT. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N, VC:H/VI:H/VA:H) reflects a network-reachable, low-complexity attack needing only low privileges and no user interaction, yielding full confidentiality, integrity and availability impact on the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or is granted an ordinary Shiori account on a shared or internet-exposed instance, then sends a single PATCH request to the account-update endpoint with the JSON body {"owner": true}. The server persists the change without an authorization check, so the attacker logs out and back in, receives an admin JWT, and gains full control over all bookmarks, users, and system settings. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - upgrade to a Shiori build that includes commit 6c8a7dbc11b131609bfda736b14d61c51f9027b2, which enforces that only existing owners may change the owner flag, and consult the VulnCheck advisory (https://www.vulncheck.com/advisories/shiori-authenticated-privilege-escalation-via-patch-api-v1-auth-account) and issue https://github.com/go-shiori/shiori/issues/1196 for release status. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and inventory all Shiori deployments in your infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-61463 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy