{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/shiori--1.8.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-61463"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Shiori (\u003c 1.8.0)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","vulnerability","web-application"],"_cs_type":"threat","_cs_vendors":["go-shiori"],"content_html":"\u003cp\u003eCVE-2026-61463 describes a critical privilege escalation vulnerability affecting Shiori, an open-source bookmark manager. This flaw allows any authenticated user to elevate their privileges to that of an administrator. The vulnerability, published on July 13, 2026, resides in the application's account update endpoint, specifically \u003ccode\u003e/api/v1/auth/account\u003c/code\u003e, where inadequate authorization checks fail to prevent the modification of the \u003ccode\u003eowner\u003c/code\u003e field. Attackers can craft a \u003ccode\u003ePATCH\u003c/code\u003e request containing \u003ccode\u003eowner: true\u003c/code\u003e in the request body and, upon successful submission, re-authenticate to receive an administrative JSON Web Token (JWT). This grants them full, unrestricted control over the Shiori instance, posing a significant risk to data integrity and system availability. While active exploitation has not been publicly confirmed, the simplicity of exploitation and high impact make it a severe threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial authenticated access to a Shiori instance as a regular user.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the insecure account update endpoint \u003ccode\u003e/api/v1/auth/account\u003c/code\u003e that lacks proper authorization controls for privilege modification.\u003c/li\u003e\n\u003cli\u003eA malicious \u003ccode\u003ePATCH\u003c/code\u003e HTTP request is crafted, targeting the identified account update endpoint.\u003c/li\u003e\n\u003cli\u003eThe request body is manipulated to include the parameter \u003ccode\u003eowner: true\u003c/code\u003e, indicating an attempt to escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe crafted \u003ccode\u003ePATCH\u003c/code\u003e request is sent to the Shiori server, exploiting the vulnerability by bypassing authorization checks.\u003c/li\u003e\n\u003cli\u003eUpon successful modification of the user's \u003ccode\u003eowner\u003c/code\u003e status, the attacker re-authenticates to the Shiori instance.\u003c/li\u003e\n\u003cli\u003eThe re-authentication process issues a new JSON Web Token (JWT) that now contains administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this newly acquired admin JWT to execute privileged operations, gaining full control over the Shiori application and potentially underlying data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-61463 leads to complete compromise of the Shiori instance. An attacker can elevate a standard user account to an administrative one, gaining full control over all stored bookmarks, user accounts, and potentially any data managed by the application. This could result in unauthorized access to sensitive information, data manipulation or deletion, service disruption, or further lateral movement within the hosting environment if other vulnerabilities are present. The impact is critical for organizations using Shiori to manage sensitive or private information, as it compromises data confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-61463 by upgrading Shiori to version 1.8.0 or later immediately, as detailed in the official project references.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive logging for your web server and Shiori application to capture full HTTP request methods, URIs (such as \u003ccode\u003e/api/v1/auth/account\u003c/code\u003e), and request bodies (if feasible) to detect suspicious \u003ccode\u003ePATCH\u003c/code\u003e requests that attempt to modify sensitive user attributes like the \u003ccode\u003eowner\u003c/code\u003e field.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T18:19:58Z","date_published":"2026-07-13T18:19:58Z","id":"https://feed.craftedsignal.io/briefs/2026-07-shiori-privilege-escalation/","summary":"Shiori contains a privilege escalation vulnerability in its account update endpoint that allows authenticated users to exploit this by sending a crafted PATCH request to modify the 'owner' field to 'true' without proper authorization checks, leading to administrative access and full system control.","title":"Shiori Privilege Escalation via Account Update Endpoint (CVE-2026-61463)","url":"https://feed.craftedsignal.io/briefs/2026-07-shiori-privilege-escalation/"}],"language":"en","title":"CraftedSignal Threat Feed - Shiori (\u003c 1.8.0)","version":"https://jsonfeed.org/version/1.1"}