CVE-2026-61463
Shiori Authenticated Privilege Escalation via PATCH /api/v1/auth/account
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
Shiori contains a privilege escalation vulnerability in the account update endpoint that allows authenticated users to modify the owner field without authorization checks. Attackers can escalate to administrator by submitting a crafted PATCH request with owner: true, then re-authenticate to obtain an admin JWT token granting full system access.
| CWE | CWE-269 |
| Vendor | go-shiori |
| Product | shiori |
| Published | Jul 13, 2026 |
| Last Updated | Jul 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for go-shiori shiori
Be the first to know when new high vulnerabilities affecting go-shiori shiori are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
go-shiori / shiori
0 < 1.8.0
References
github.com: https://github.com/go-shiori/shiori/issues/1196 github.com: https://github.com/go-shiori/shiori github.com: https://github.com/go-shiori/shiori/commit/6c8a7dbc11b131609bfda736b14d61c51f9027b2 vulncheck.com: https://www.vulncheck.com/advisories/shiori-authenticated-privilege-escalation-via-patch-api-v1-auth-account
Credits
๐ George Chen