|
[Japanese]
|
JVNDB-2026-000039
|
Missing authorization in the OpenAI thread/message API endpoints of GROWI
|
|
GROWI provided by GROWI, Inc. contains the following vulnerability.- Missing authorization in the OpenAI thread/message API endpoints (CWE-862) - CVE-2026-25083
- This can be exploited only when an attacker knows a shared AI assistant's identifier
Sho Odagiri of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to GROWI, Inc. and coordinated. After the coordination was completed, GROWI, Inc. reported the case to JPCERT/CC to notify users of the solution through JVN.
|
|
CVSS V3 Severity:
Base Metrics 8.3 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low
|
CVSS v4 Severity
Base Metrics: 8.7 (High) [IPA Score]
- Access Vector (AV): Network
- Attack Complexity (AC): Low
- Attack Requirements (AT): None
- Privileges Required (PR): Low
- User Interaction (UI): None
Vulnerable System Impact
- Confidentiality Impact (VC): High
- Integrity Impact (VI): High
- Availability Impact (VA): Low
Subsequent System Impact
- Confidentiality Impact (SC): None
- Integrity Impact (SI): None
- Availability Impact (SA): None
|
|
|
GROWI, Inc.
|
|
|
A logged-in user may view and/or tamper the other user's threads/messages.
|
|
[Update the Software]
Update the software to the latest version.
The developer has released the following version to address this vulnerability. For more details, refer to the information provided by the developer.
|
|
GROWI, Inc.
|
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2026-25083
|
|
- JVN : JVN#46373837
|
|
- [2026/03/16]
Web page was published
|
