CVE-2026-28433
Received Received - Intake
Improper Ownership Validation in Misskey Enables Data Import Abuse

Publication date: 2026-03-10

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Misskey is an open source, federated social media platform. All Misskey servers running versions 10.93.0 and later, but prior to 2026.3.1, contain a vulnerability that allows importing other users' data due to lack of ownership validation. The impact of this vulnerability is estimated to be relatively low, as bad actors would require the ID corresponding to the target file for import. This vulnerability is fixed in 2026.3.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28433
EUVD
EUVD-2026-10369
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
misskey misskey From 10.93.0 (inc) to 2026.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-28433 is a vulnerability in Misskey servers running versions 10.93.0 and later, but prior to 2026.3.1. It arises from a lack of ownership validation when importing data, allowing an attacker to import other users' data by exploiting insufficient authorization checks related to file IDs."}, {'type': 'paragraph', 'content': 'Specifically, the system does not properly verify whether the user owns the resource identified by the file ID, enabling unauthorized data importation. This is classified as an authorization bypass vulnerability.'}, {'type': 'paragraph', 'content': 'The vulnerability is considered low severity because exploitation requires knowledge of the target file ID, and the impact on confidentiality is limited.'}] [1]

Impact Analysis

This vulnerability can allow an attacker with limited privileges to import data belonging to other users without proper authorization.

The impact is relatively low since the attacker needs to know the specific file ID to exploit the vulnerability, and the unauthorized data disclosure is limited.

There is no impact on data integrity or availability, and no user interaction is required for exploitation.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, users are strongly advised to update Misskey servers to version 2026.3.1 or later, where the issue is fixed.

As a workaround for users on Misskey version 2024.9.0 or later, it is possible to disable the importing function via role policy settings to reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28433. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart