JVN#46373837: Missing authorization in the OpenAI thread/message API endpoints of GROWI

Overview

GROWI provided by GROWI, Inc. contains a missing authorization vulnerability in the OpenAI thread/message API endpoints.

Products Affected

GROWI v7.4.5 and earlier

Description

GROWI provided by GROWI, Inc. contains the following vulnerability.

Missing authorization in the OpenAI thread/message API endpoints (CWE-862)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N Base Score 8.7
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L Base Score 8.3
- CVE-2026-25083
- This can be exploited only when an attacker knows a shared AI assistant's identifier

Impact

A logged-in user may view and/or tamper the other user's threads/messages.

Solution

Update the Software
Update the software to the latest version.
The developer has released the following version to address this vulnerability.

GROWI v7.4.6

For more details, refer to the information provided by the developer.

Vendor Status

Vendor	Status	Last Update	Vendor Notes
GROWI, Inc.	Vulnerable	2026/03/16

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Sho Odagiri of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to GROWI, Inc. and coordinated. After the coordination was completed, GROWI, Inc. reported the case to JPCERT/CC to notify users of the solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2026-25083
JVN iPedia	JVNDB-2026-000039

JVN#46373837 Missing authorization in the OpenAI thread/message API endpoints of GROWI