Primary

Context

GROWI Missing Authorization Vulnerability in OpenAI API Endpoints Allowing Unauthorized Access to Threads and Messages

Vulnerability

A vulnerability exists in GROWI versions through 7.4.5, where the OpenAI thread and message API endpoints lack proper authorization. This flaw allows logged-in users to access and manipulate threads and messages of other users, provided they know the identifier of a shared AI assistant.

Impact

Exploitation of this vulnerability enables a logged-in user to view and modify another user's threads and messages within the application.

Remediation

Users are advised to update GROWI to version 7.4.6 or later. The updated version can be downloaded from GitHub or Docker Hub.

Added: Mar 16, 2026, 2:22 PM

Updated: Mar 16, 2026, 2:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

4.8

remediation

0.0

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

4.8

remediation

0.0

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GROWI Missing Authorization Vulnerability in OpenAI API Endpoints Allowing Unauthorized Access to Threads and Messages

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating