Shiori
CVE-2026-61463
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network endpoint with low complexity requires only an existing low-privilege account (PR:L) and no interaction; escalation to admin grants full confidentiality, integrity and availability, scope unchanged within the app.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Shiori contains a privilege escalation vulnerability in the account update endpoint that allows authenticated users to modify the owner field without authorization checks. Attackers can escalate to administrator by submitting a crafted PATCH request with owner: true, then re-authenticate to obtain an admin JWT token granting full system access.
AnalysisAI
Vertical privilege escalation in Shiori (go-shiori), the self-hosted Go bookmark manager, lets any authenticated low-privilege user promote themselves to administrator. By sending a crafted PATCH request to the /api/v1/auth/account update endpoint with owner: true - a field that lacked an authorization check - the user flips their own owner flag, then re-authenticates to receive an admin JWT granting full system access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated Shiori account of any privilege level (PR:L) and network reachability to the API; the attacker sends a PATCH request to the /api/v1/auth/account update endpoint including the owner field set to true, then re-authenticates to obtain the elevated JWT. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N, VC:H/VI:H/VA:H) reflects a network-reachable, low-complexity attack needing only low privileges and no user interaction, yielding full confidentiality, integrity and availability impact on the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or is granted an ordinary Shiori account on a shared or internet-exposed instance, then sends a single PATCH request to the account-update endpoint with the JSON body {"owner": true}. The server persists the change without an authorization check, so the attacker logs out and back in, receives an admin JWT, and gains full control over all bookmarks, users, and system settings. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - upgrade to a Shiori build that includes commit 6c8a7dbc11b131609bfda736b14d61c51f9027b2, which enforces that only existing owners may change the owner flag, and consult the VulnCheck advisory (https://www.vulncheck.com/advisories/shiori-authenticated-privilege-escalation-via-patch-api-v1-auth-account) and issue https://github.com/go-shiori/shiori/issues/1196 for release status. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify and inventory all Shiori deployments in your infrastructure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today