CVE-2026-61463

go-shiori · shiori

Shiori is vulnerable to a privilege escalation flaw in the account update endpoint, allowing authenticated users to modify the owner field without proper authorization checks.

Executive summary

A privilege escalation vulnerability in Shiori allows authenticated users to gain unauthorized administrative control by modifying account ownership.

Vulnerability

The vulnerability is an Improper Privilege Management (CWE-269) issue located in the account update API. An attacker with low-level authenticated access can manipulate the request to escalate their privileges by altering the owner field of an account.

Business impact

The ability to elevate privileges to an owner level allows for total compromise of the application, including full access to all data and administrative settings. With a CVSS score of 8.8, this vulnerability represents a severe risk to data integrity and system confidentiality.

Remediation

Immediate Action: Update Shiori to version 1.8.0 or later to ensure proper authorization checks are applied to the account update endpoint.

Proactive Monitoring: Review audit logs for unauthorized changes to user roles or modifications to the owner field of existing accounts.

Compensating Controls: If an immediate update is not feasible, restrict access to the account management API to trusted administrative IP addresses only.

Exploitation status

Public Exploit Available: No (Exploit status unknown)

Analyst recommendation

Given the existence of a proof-of-concept and the high-impact nature of privilege escalation, organizations using Shiori must prioritize applying the 1.8.0 update. Failure to remediate this flaw exposes the system to complete administrative takeover by any authenticated user.