Arbitrary Group Assignment in Wiki.js by Requarks
CVE-2026-44224

8.6HIGH

Key Information:

Vendor

Requarks

Status
Wiki
Vendor
CVE Published:
12 May 2026

What is CVE-2026-44224?

Wiki.js, an open-source wiki application developed on Node.js, contains a security vulnerability prior to version 2.5.313 where the users.update GraphQL mutation improperly accepts an arbitrary array of groups. This oversight allows users, typically moderators with manage:users permissions, to self-assign elevated groups, including Administrators, without appropriate validation. After re-authenticating, a fresh JWT is issued with manage:system rights, effectively granting full administrative access in a single operation. This critical flaw has been addressed in the latest version, highlighting the importance of rigorous input validation and ownership checks in user management functionalities.

Affected Version(s)

wiki < 2.5.313

References

https://github.com/requarks/wiki/security/advisories/GHSA...
x_refsource_CONFIRM

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.