Vulnerability Description
Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without any ownership check or restriction on which groups can be assigned. A user with manage:users — a permission typically delegated to wiki moderators for account management — can set groups:[1] on their own account to self-assign to the Administrators group. After re-authentication, the fresh JWT carries manage:system, granting full site administrator access in a single mutation call. This vulnerability is fixed in 2.5.313.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Requarks | Wiki.Js | < 2.5.313 |
Related Weaknesses (CWE)
References
- https://github.com/requarks/wiki/security/advisories/GHSA-cq3g-mwrg-v2rvExploitMitigationVendor Advisory
- https://github.com/requarks/wiki/security/advisories/GHSA-cq3g-mwrg-v2rvExploitMitigationVendor Advisory
FAQ
What is CVE-2026-44224?
CVE-2026-44224 is a vulnerability with a CVSS score of 8.8 (HIGH). Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of...
How severe is CVE-2026-44224?
CVE-2026-44224 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-44224?
Check the references section above for vendor advisories and patch information. Affected products include: Requarks Wiki.Js.