CVE-2026-44224— Wiki.js: Privilege Escalation via Missing Group Validation in users.update
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44224
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Wiki.js: Privilege Escalation via Missing Group Validation in users.update
Source: NVD (National Vulnerability Database)
Vulnerability Description
Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without any ownership check or restriction on which groups can be assigned. A user with manage:users — a permission typically delegated to wiki moderators for account management — can set groups:[1] on their own account to self-assign to the Administrators group. After re-authentication, the fresh JWT carries manage:system, granting full site administrator access in a single mutation call. This vulnerability is fixed in 2.5.313.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
特权管理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
wiki.js 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
wiki.js是requarks.io开源的一个Wiki应用程序。 Wiki.js 2.5.313之前版本存在安全漏洞,该漏洞源于users.update GraphQL变异接受任意groups数组并直接应用于数据库,未验证组ID,可能导致具有manage:users权限的用户自行分配管理员组,获得完全站点管理员访问权限。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-44224
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44224
请登录查看更多情报信息。
- https://github.com/requarks/wiki/security/advisories/GHSA-cq3g-mwrg-v2rvx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-44224
IV. Related Vulnerabilities
Same product: wiki
- CVE-2026-34735
Hytale Modding Vulnerable to Remote Code Execution via File - CVE-2026-32736
Hytale Modding Wiki has Insecure Direct Object Reference / G - CVE-2024-45298
Disabled user can bypass lockout by requesting password rese - CVE-2024-34710
Wiki.js Stored XSS through Client Side Template Injection - CVE-2022-23654
Improper write access check in Requarks/wiki
Same vendor: requarks
- CVE-2024-45298
Disabled user can bypass lockout by requesting password rese - CVE-2024-34710
Wiki.js Stored XSS through Client Side Template Injection - CVE-2022-1681
Authentication Bypass Using an Alternate Path or Channel in - CVE-2022-23654
Improper write access check in Requarks/wiki - CVE-2021-25993
Requarks wiki.js - Stored Cross-Site Scripting (XSS) in mark
Same weakness: CWE-269
- CVE-2026-8719
AI Engine 3.4.9 - Authenticated (Subscriber+) Privilege Esca - CVE-2026-45395
Open WebUI: Missing `workspace.tools` Authorization Check on - CVE-2026-45675
Open WebUI: LDAP and OAuth First-User Race Condition Allows - CVE-2026-6228
Frontend Admin by DynamiApps <= 3.28.36 - Unauthenticated Pr - CVE-2025-62625
AMD Processors 安全漏洞
V. Comments for CVE-2026-44224
No comments yet