Growi
Monthly
A critical authentication bypass vulnerability exists in GROWI's OpenAI assistant API endpoints where authorization checks are missing, allowing any authenticated user to access and manipulate other users' AI assistant conversations. The vulnerability affects GROWI versions 7.4.5 and earlier, enabling attackers with low-level credentials to compromise confidentiality and integrity of AI assistant threads and messages by simply knowing the assistant identifier. While not currently listed in CISA KEV and with no public exploit code identified, the vulnerability carries a high CVSS score of 8.3 due to its low exploitation complexity and significant data exposure potential.
A critical authentication bypass vulnerability exists in GROWI's OpenAI assistant API endpoints where authorization checks are missing, allowing any authenticated user to access and manipulate other users' AI assistant conversations. The vulnerability affects GROWI versions 7.4.5 and earlier, enabling attackers with low-level credentials to compromise confidentiality and integrity of AI assistant threads and messages by simply knowing the assistant identifier. While not currently listed in CISA KEV and with no public exploit code identified, the vulnerability carries a high CVSS score of 8.3 due to its low exploitation complexity and significant data exposure potential.