CVE-2026-28431
Received Received - Intake
Insufficient Permission Checks in Misskey Allow Data Exposure

Publication date: 2026-03-10

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Misskey is an open source, federated social media platform. All Misskey servers running versions 8.45.0 and later, but prior to 2026.3.1, contain a vulnerability that allows bad actors access to data that they ordinarily wouldn't be able to access due to insufficient permission checks and proper input validation. This vulnerability occurs regardless of whether federation is enabled or not. This vulnerability could lead to a significant data breach. This vulnerability is fixed in 2026.3.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Affected Vendors & Products
Vendor Product Version
misskey misskey From 8.45.0 (inc) to 2026.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-28431 is a critical vulnerability in Misskey servers running versions 8.45.0 up to, but not including, 2026.3.1. It arises from insufficient authorization checks and improper input validation, which allows attackers to access data they should not be able to reach.

This vulnerability exists regardless of whether federation features are enabled on the server.

The underlying weaknesses are identified as CWE-20 (Improper Input Validation) and CWE-285 (Improper Authorization), meaning the product fails to correctly validate input data and does not properly enforce authorization checks when accessing resources or performing actions.

Source: [1]

How can this vulnerability impact me? :

This vulnerability can lead to a significant data breach by allowing unauthorized attackers to access sensitive data they ordinarily would not be able to access.

Because the attack vector is network-based with low complexity and requires no privileges or user interaction, attackers can remotely exploit this vulnerability easily.

The impact on confidentiality is high, meaning there is a significant risk of unauthorized data disclosure.

Source: [1]

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

There is no detailed information provided about specific detection methods or commands to identify this vulnerability on your network or system.


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade all Misskey servers to version 2026.3.1 or later.

No known workarounds exist, so applying the official patch by upgrading is strongly recommended to prevent unauthorized data access.

Source: [1]

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart
Meta Information
CVE Publication Date:
2026-03-10
CVE Last Modified Date:
2026-03-13
Report Generation Date:
2026-03-14
AI Powered Q&A Generation:
2026-03-10
EPSS Last Evaluated Date:
2026-03-13
NVD Report Link:
EUVD Report Link: