Missing authorization in the OpenAI thread/message API endpoints of GROWI

Overview GROWI provided by GROWI, Inc. contains the following vulnerability. Missing authorization in the OpenAI thread/message API endpoints CWE-862 - CVE-2026-25083 This can be exploited only when an attacker knows a shared AI assistant's identifier Sho Odagiri of GMO Cybersecurity by Ierae, In...

CVE-2026-32097 PingPong has improper access control in thread file endpoints allows access outside intended scope

PingPong is a platform for using large language models LLMs for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files, including user-uploade...

CVE-2026-32097 PingPong has improper access control in thread file endpoints allows access outside intended scope

PingPong is a platform for using large language models LLMs for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files, including user-uploade...

CVE-2026-32097

PingPong, a platform for teaching/learning with LLMs, has a vulnerability prior to 7.27.2 where an authenticated user could retrieve or delete files outside the intended authorization scope. The issue allows retrieval of private files and deletion of files (including user uploads and model output...