๐Ÿ” CVE Alert

CVE-2026-61463

HIGH 8.8

Shiori Authenticated Privilege Escalation via PATCH /api/v1/auth/account

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

Shiori contains a privilege escalation vulnerability in the account update endpoint that allows authenticated users to modify the owner field without authorization checks. Attackers can escalate to administrator by submitting a crafted PATCH request with owner: true, then re-authenticate to obtain an admin JWT token granting full system access.

CWE CWE-269
Vendor go-shiori
Product shiori
Published Jul 13, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for go-shiori shiori

Be the first to know when new high vulnerabilities affecting go-shiori shiori are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

go-shiori / shiori
0 < 1.8.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/go-shiori/shiori/issues/1196 github.com: https://github.com/go-shiori/shiori github.com: https://github.com/go-shiori/shiori/commit/6c8a7dbc11b131609bfda736b14d61c51f9027b2 vulncheck.com: https://www.vulncheck.com/advisories/shiori-authenticated-privilege-escalation-via-patch-api-v1-auth-account

Credits

๐Ÿ” George Chen