CVE-2026-25083: GROWI: Missing Auth allows unauthorized operations

UNKNOWN

Published March 16, 2026

CISO Take

GROWI deployments using OpenAI assistant integration expose all AI conversation threads to any authenticated user who can guess or enumerate an assistant identifier. Patch to v7.4.6+ immediately; if patching is not possible, disable AI assistant features or restrict GROWI access to trusted users only. Treat all historical threads in affected deployments as potentially compromised—audit for sensitive data disclosure.

What is the risk?

Medium-High for organizations running GROWI with OpenAI integration. Requires authentication, which limits exposure to insider threats and compromised accounts, but no additional privilege is needed beyond a valid login. The attack surface is the AI assistant identifier, which may be discoverable through normal application use, shared links, or brute force. The tamper vector elevates risk beyond read-only disclosure: an attacker can inject content into other users' AI threads, enabling context poisoning attacks that could manipulate subsequent AI responses seen by victims.

How severe is it?

CVSS 3.1

N/A

EPSS

0.3%

chance of exploitation in 30 days

Higher than 25% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Advanced

What should I do?

6 steps

PATCH

Upgrade GROWI to v7.4.6 or later (vendor advisory growi.co.jp/news/41 and JVN#46373837).
If immediate patching is not possible, disable OpenAI integration in GROWI admin settings.
AUDIT

Review OpenAI thread access logs for unauthorized cross-user access; check for injected content in shared AI threads.
SCOPE

Inventory all GROWI instances in your environment; prioritize internet-facing or contractor-accessible instances.
DETECTION

Alert on API calls to GROWI's AI thread/message endpoints from users who are not the thread owner—check application logs for cross-user thread ID access patterns.
ROTATE

If sensitive data was shared in AI threads, consider the information compromised and rotate any credentials or revoke sensitive content discussed therein.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Prompt Injection Data Leakage Model Poisoning API RAG Inference AML.T0012 - Valid Accounts AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0057 - LLM Data Leakage AML.T0080.001 - Thread AML.T0085 - Data from AI Services AML.T0092 - Manipulate User LLM Chat History AML.T0096 - AI Service API

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system Art.9 - Risk management system

ISO 42001

A.6.1.2 - Segregation of duties A.6.2.6 - AI system access control A.9.3 - AI system logging and monitoring A.9.4 - Access control to AI systems

NIST AI RMF

GOVERN 1.2 - Accountability structures are in place GOVERN 1.4 - Organizational teams commit to AI risk transparency and accountability MANAGE 2.2 - Mechanisms to sustain oversight of AI systems MANAGE 2.4 - Mechanisms are in place to manage residual risks

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM04:2025 - Data and Model Poisoning LLM06:2025 - Excessive Agency / Insecure Design LLM07:2025 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-25083?

Is CVE-2026-25083 actively exploited?

No confirmed active exploitation of CVE-2026-25083 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25083?

1. PATCH: Upgrade GROWI to v7.4.6 or later (vendor advisory growi.co.jp/news/41 and JVN#46373837). 2. If immediate patching is not possible, disable OpenAI integration in GROWI admin settings. 3. AUDIT: Review OpenAI thread access logs for unauthorized cross-user access; check for injected content in shared AI threads. 4. SCOPE: Inventory all GROWI instances in your environment; prioritize internet-facing or contractor-accessible instances. 5. DETECTION: Alert on API calls to GROWI's AI thread/message endpoints from users who are not the thread owner—check application logs for cross-user thread ID access patterns. 6. ROTATE: If sensitive data was shared in AI threads, consider the information compromised and rotate any credentials or revoke sensitive content discussed therein.

What systems are affected by CVE-2026-25083?

This vulnerability affects the following AI/ML architecture patterns: LLM API integrations, AI assistant platforms, Collaborative knowledge bases with AI features, Multi-tenant AI chat/thread systems, OpenAI Assistants API consumers.

What is the CVSS score for CVE-2026-25083?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

LLM API integrationsAI assistant platformsCollaborative knowledge bases with AI featuresMulti-tenant AI chat/thread systemsOpenAI Assistants API consumers

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

AML.T0057 LLM Data Leakage

AML.T0080.001 Thread

AML.T0085 Data from AI Services

AML.T0092 Manipulate User LLM Chat History

AML.T0096 AI Service API

Compliance Controls Affected

EU AI Act: Art. 9, Art.9

ISO 42001: A.6.1.2, A.6.2.6, A.9.3, A.9.4

NIST AI RMF: GOVERN 1.2, GOVERN 1.4, MANAGE 2.2, MANAGE 2.4

OWASP LLM Top 10: LLM02:2025, LLM04:2025, LLM06:2025, LLM07:2025

What are the technical details?

Original Advisory

GROWI OpenAI thread/message API endpoints do not perform authorization. Affected are v7.4.5 and earlier versions. A logged-in user who knows a shared AI assistant's identifier may view and/or tamper the other user's threads/messages.

Exploitation Scenario

An authenticated GROWI user (e.g., a low-privilege contractor) discovers or enumerates the OpenAI assistant thread identifier of a more privileged user—for example, by observing identifiers in URLs, shared links, or through brute-force of sequential/predictable IDs. The attacker calls the unprotected API endpoint directly to read the victim's AI conversation history, harvesting sensitive business context, credentials, or strategic plans discussed with the AI assistant. In a more sophisticated variant, the attacker injects crafted messages into the victim's thread, poisoning the AI context so that future responses to the victim contain attacker-controlled misinformation or malicious instructions—a server-side prompt injection with persistent effect.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.