CVE-2026-44224HIGH 8.8EPSS p29.5%

CVE-2026-44224CVE-2026-44224

Description

Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without any ownership check or restriction on which groups can be assigned. A user with manage:users — a permission typically delegated to wiki moderators for account management — can set groups:[1] on their own account to self-assign to the Administrators group. After re-authentication, the fresh JWT carries manage:system, granting full site administrator access in a single mutation call. This vulnerability is fixed in 2.5.313.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.38% probability of exploitation · percentile 29.5% · 2026-06-18T12:00:27Z
Published2026-05-12
Last modified2026-05-14

Underlying weaknesses· 1

CWE-269

References

  1. https://github.com/requarks/wiki/security/advisories/GHSA-cq3g-mwrg-v2rv
  2. https://github.com/requarks/wiki/security/advisories/GHSA-cq3g-mwrg-v2rv

1

TypeTargetConfidenceTier
WeaknessImproper Privilege Managementcwe-2690%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-56643
CVE
CVE-2025-29926
CVE
CVE-2026-40172
CVE
CVE-2025-53501
CVE
CVE-2025-32956
CVE
CVE-2026-42843
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.