Strix
26.1K

CVE-2026-44224

HIGHCVSS 8.6/10EPSS 0.38%

Last modified

CVE-2026-44224 is a high-severity vulnerability rated 8.6/10 on the CVSS scale. Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. EPSS estimates a 0.38% chance of exploitation in the next 30 days.

Description

Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without any ownership check or restriction on which groups can be assigned. A user with manage:users — a permission typically delegated to wiki moderators for account management — can set groups:[1] on their own account to self-assign to the Administrators group. After re-authentication, the fresh JWT carries manage:system, granting full site administrator access in a single mutation call. This vulnerability is fixed in 2.5.313.

Metrics

CVSS 3.1
8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0
8.6/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability
0.38%

29.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
RequarksWiki.Js< 2.5.313

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-44224?
Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without any ownership check or restriction on which groups can be assigned. A user with manage:users — a permission typically delegated to wiki moderators for account management — can set groups:[1] on their own account to self-assign to the Administrators group. After re-authentication, the fresh JWT carries manage:system, granting full site administrator access in a single mutation call. This vulnerability is fixed in 2.5.313.
How severe is CVE-2026-44224?
CVE-2026-44224 has a CVSS score of 8.6/10 (HIGH severity). The EPSS model estimates a 0.38% probability of exploitation in the next 30 days.
How do I fix CVE-2026-44224?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-44224?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST