CVE-2026-28431
Received Received - Intake
Insufficient Permission Checks in Misskey Allow Data Exposure

Publication date: 2026-03-10

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Misskey is an open source, federated social media platform. All Misskey servers running versions 8.45.0 and later, but prior to 2026.3.1, contain a vulnerability that allows bad actors access to data that they ordinarily wouldn't be able to access due to insufficient permission checks and proper input validation. This vulnerability occurs regardless of whether federation is enabled or not. This vulnerability could lead to a significant data breach. This vulnerability is fixed in 2026.3.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28431
EUVD
EUVD-2026-10365
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
misskey misskey From 8.45.0 (inc) to 2026.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28431 is a critical vulnerability in Misskey servers running versions 8.45.0 up to, but not including, 2026.3.1. It arises from insufficient authorization checks and improper input validation, which allows attackers to access data they should not be able to reach.

This vulnerability exists regardless of whether federation features are enabled on the server.

The underlying weaknesses are identified as CWE-20 (Improper Input Validation) and CWE-285 (Improper Authorization), meaning the product fails to correctly validate input data and does not properly enforce authorization checks when accessing resources or performing actions.

Impact Analysis

This vulnerability can lead to a significant data breach by allowing unauthorized attackers to access sensitive data they ordinarily would not be able to access.

Because the attack vector is network-based with low complexity and requires no privileges or user interaction, attackers can remotely exploit this vulnerability easily.

The impact on confidentiality is high, meaning there is a significant risk of unauthorized data disclosure.

Compliance Impact

I don't know

Detection Guidance

There is no detailed information provided about specific detection methods or commands to identify this vulnerability on your network or system.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade all Misskey servers to version 2026.3.1 or later.

No known workarounds exist, so applying the official patch by upgrading is strongly recommended to prevent unauthorized data access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28431. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart