CVE-2026-44224: Wiki.js Privilege Escalation Vulnerability

CVE-2026-44224 Overview

CVE-2026-44224 is a privilege escalation vulnerability in Wiki.js, an open source wiki application built on Node.js. The flaw exists in the users.update GraphQL mutation, which accepts an arbitrary groups array and writes it directly to the database without validating the supplied group IDs. Any user holding the manage:users permission — typically delegated to wiki moderators for account administration — can assign themselves to the Administrators group. After re-authentication, the newly issued JSON Web Token (JWT) carries the manage:system permission, granting full site administrator access. The vulnerability affects all versions prior to 2.5.313 and is fixed in that release.

Critical Impact

A moderator-level account can escalate to full Wiki.js administrator in a single GraphQL mutation, enabling complete takeover of wiki content, configuration, and user accounts.

Affected Products

• Requarks Wiki.js versions prior to 2.5.313
• Self-hosted Wiki.js deployments delegating manage:users to non-administrators
• Multi-tenant Wiki.js instances with moderator roles

Discovery Timeline

• 2026-05-12 - CVE-2026-44224 published to the National Vulnerability Database (NVD)
• 2026-05-14 - Last updated in NVD database

Technical Details for CVE-2026-44224

Vulnerability Analysis

The vulnerability resides in the GraphQL resolver backing the users.update mutation. The resolver forwards the caller's arguments directly to the data model layer without enforcing an ownership check or a permission-based allowlist for the groups field. As a result, the input array becomes the authoritative group membership for the targeted user record.

Wiki.js relies on group membership to compute the permission set encoded in the JWT issued at authentication. The Administrators group is bound to the manage:system permission, which controls every administrative function in the application. Because the mutation accepts groups:[1] without verification, a caller can write the administrator group ID to their own profile. The weakness is classified under [CWE-269] Improper Privilege Management.

Root Cause

The resolver trusts client-supplied input for a security-sensitive field. There is no validation that the caller is permitted to assign the requested groups, no separation between profile-edit permissions and group-assignment permissions, and no constraint preventing assignment of higher-privileged groups than the caller already holds. The manage:users permission was intended for routine account management but transitively grants full administrative escalation through this missing check.

Attack Vector

An authenticated user with manage:users issues a GraphQL users.update mutation against their own account ID, supplying a groups array containing the Administrators group ID (commonly 1). The mutation persists the new membership to the database. The attacker logs out and re-authenticates, and the resulting JWT contains manage:system. The attacker now controls site configuration, authentication providers, page content, and all user accounts. Exploitation requires a single network request and no user interaction from any victim. No public proof-of-concept exploit or CISA KEV listing is associated with this CVE at publication.

Detection Methods for CVE-2026-44224

Indicators of Compromise

• GraphQL requests to the users.update mutation where the groups argument includes the Administrators group ID (typically 1)
• Unexpected membership changes to the Administrators group recorded in the userGroups join table
• Re-authentication events from manage:users accounts immediately following a self-targeted users.update call
• New administrative actions originating from accounts that previously held only moderator-level permissions

Detection Strategies

• Audit Wiki.js application logs for users.update mutations where the caller's user ID equals the target user ID and the groups payload is modified
• Compare current group membership against a known-good baseline and alert on additions to administrative groups
• Correlate JWT-issuance events with recent group membership changes to surface escalation chains

Monitoring Recommendations

• Forward Wiki.js access and GraphQL logs to a centralized SIEM or data lake for retention and correlation
• Generate alerts on any membership change affecting the Administrators group, regardless of source account
• Track the running Wiki.js version across hosts and flag instances below 2.5.313

How to Mitigate CVE-2026-44224

Immediate Actions Required

• Upgrade all Wiki.js instances to version 2.5.313 or later without delay
• Review the Administrators group membership and remove any accounts that should not hold manage:system
• Revoke active sessions and force re-authentication after auditing group membership
• Rotate API tokens and integration credentials issued from potentially compromised administrator accounts

Patch Information

The maintainers fixed the vulnerability in Wiki.js 2.5.313 by adding validation to the users.update resolver so that group assignment is restricted to authorized callers. Refer to the Wiki.js GitHub Security Advisory GHSA-cq3g-mwrg-v2rv for the official advisory and patch details.

Workarounds

• Restrict the manage:users permission to fully trusted administrators until the upgrade is applied
• Place Wiki.js behind a reverse proxy or web application firewall (WAF) rule that blocks users.update mutations containing a groups field for non-administrator sessions
• Temporarily disable moderator-tier roles that include manage:users if upgrading is not immediately feasible

# Upgrade Wiki.js to the patched release
docker pull ghcr.io/requarks/wiki:2.5.313
docker stop wiki && docker rm wiki
docker run -d --name wiki --restart unless-stopped \
  -e DB_TYPE=postgres -e DB_HOST=db -e DB_PORT=5432 \
  -e DB_USER=wiki -e DB_PASS=*** -e DB_NAME=wiki \
  -p 3000:3000 ghcr.io/requarks/wiki:2.5.313