CVE-2026-61463
go-shiori · shiori
Shiori is vulnerable to a privilege escalation flaw in the account update endpoint, allowing authenticated users to modify the owner field without proper authorization checks.
Executive summary
A privilege escalation vulnerability in Shiori allows authenticated users to gain unauthorized administrative control by modifying account ownership.
Vulnerability
The vulnerability is an Improper Privilege Management (CWE-269) issue located in the account update API. An attacker with low-level authenticated access can manipulate the request to escalate their privileges by altering the owner field of an account.
Business impact
The ability to elevate privileges to an owner level allows for total compromise of the application, including full access to all data and administrative settings. With a CVSS score of 8.8, this vulnerability represents a severe risk to data integrity and system confidentiality.
Remediation
Immediate Action: Update Shiori to version 1.8.0 or later to ensure proper authorization checks are applied to the account update endpoint.
Proactive Monitoring: Review audit logs for unauthorized changes to user roles or modifications to the owner field of existing accounts.
Compensating Controls: If an immediate update is not feasible, restrict access to the account management API to trusted administrative IP addresses only.
Exploitation status
Public Exploit Available: No (Exploit status unknown)
Analyst recommendation
Given the existence of a proof-of-concept and the high-impact nature of privilege escalation, organizations using Shiori must prioritize applying the 1.8.0 update. Failure to remediate this flaw exposes the system to complete administrative takeover by any authenticated user.