Privilege Escalation Vulnerability in Shiori by Go Shiori
CVE-2026-61463

8.7HIGH

Key Information:

Vendor

Go-shiori

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-61463?

Shiori features a vulnerability that allows authenticated users to escalate their privileges without proper authorization checks on the account update endpoint. By sending a carefully crafted PATCH request, an attacker can modify the owner field, granting them the ability to assume administrative rights. After this manipulation, the attacker can re-authenticate to acquire an admin JWT token, which provides complete access to the system. This vulnerability poses significant security risks, as it can enable unauthorized users to gain control over sensitive system functionalities.

Affected Version(s)

shiori 0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.