Authorization Flaw in GROWI OpenAI API Endpoints by GROWI
CVE-2026-25083

8.7HIGH

Key Information:

Vendor: Growi, Inc.
Status: Growi
Vendor: CVE Published:; 16 March 2026

🔔 Create Growi, Inc. Vulnerability Alert

What is CVE-2026-25083?

The GROWI OpenAI thread/message API endpoints lack proper authorization checks, allowing unauthorized users to access and modify threads or messages belonging to others. This significantly compromises user data security, as a logged-in user aware of a shared AI assistant's identifier can exploit this vulnerability, potentially leading to unauthorized access to sensitive information. It is crucial for users of GROWI OpenAI to review their usage guidelines and implement necessary security measures.

Affected Version(s)

GROWI v7.4.5 and earlier

References

https://jvn.jp/en/jp/JVN46373837/

https://growi.co.jp/news/41/

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

CVSS V3.0

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 16, 2026
Vulnerability Reserved
Mar 12, 2026

CVE-2026-25083 Data

JSON