Shiori Privilege Escalation via Account Update Endpoint (CVE-2026-61463)
Shiori contains a privilege escalation vulnerability in its account update endpoint that allows authenticated users to exploit this by sending a crafted PATCH request to modify the 'owner' field to 'true' without proper authorization checks, leading to administrative access and full system control.
CVE-2026-61463 describes a critical privilege escalation vulnerability affecting Shiori, an open-source bookmark manager. This flaw allows any authenticated user to elevate their privileges to that of an administrator. The vulnerability, published on July 13, 2026, resides in the application's account update endpoint, specifically /api/v1/auth/account, where inadequate authorization checks fail to prevent the modification of the owner field. Attackers can craft a PATCH request containing owner: true in the request body and, upon successful submission, re-authenticate to receive an administrative JSON Web Token (JWT). This grants them full, unrestricted control over the Shiori instance, posing a significant risk to data integrity and system availability. While active exploitation has not been publicly confirmed, the simplicity of exploitation and high impact make it a severe threat.
Attack Chain
- An attacker gains initial authenticated access to a Shiori instance as a regular user.
- The attacker identifies the insecure account update endpoint
/api/v1/auth/accountthat lacks proper authorization controls for privilege modification. - A malicious
PATCHHTTP request is crafted, targeting the identified account update endpoint. - The request body is manipulated to include the parameter
owner: true, indicating an attempt to escalate privileges. - The crafted
PATCHrequest is sent to the Shiori server, exploiting the vulnerability by bypassing authorization checks. - Upon successful modification of the user's
ownerstatus, the attacker re-authenticates to the Shiori instance. - The re-authentication process issues a new JSON Web Token (JWT) that now contains administrative privileges.
- The attacker uses this newly acquired admin JWT to execute privileged operations, gaining full control over the Shiori application and potentially underlying data.
Impact
Successful exploitation of CVE-2026-61463 leads to complete compromise of the Shiori instance. An attacker can elevate a standard user account to an administrative one, gaining full control over all stored bookmarks, user accounts, and potentially any data managed by the application. This could result in unauthorized access to sensitive information, data manipulation or deletion, service disruption, or further lateral movement within the hosting environment if other vulnerabilities are present. The impact is critical for organizations using Shiori to manage sensitive or private information, as it compromises data confidentiality, integrity, and availability.
Recommendation
- Patch CVE-2026-61463 by upgrading Shiori to version 1.8.0 or later immediately, as detailed in the official project references.
- Enable comprehensive logging for your web server and Shiori application to capture full HTTP request methods, URIs (such as
/api/v1/auth/account), and request bodies (if feasible) to detect suspiciousPATCHrequests that attempt to modify sensitive user attributes like theownerfield.
Indicators of compromise
4
url
| Type | Value |
|---|---|
| url | https://github.com/go-shiori/shiori |
| url | https://github.com/go-shiori/shiori/commit/6c8a7dbc11b131609bfda736b14d61c51f9027b2 |
| url | https://github.com/go-shiori/shiori/issues/1196 |
| url | https://www.vulncheck.com/advisories/shiori-authenticated-privilege-escalation-via-patch-api-v1-auth-account |