CVE-2026-28433
Improper Ownership Validation in Misskey Enables Data Import Abuse
Publication date: 2026-03-10
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| misskey | misskey | From 10.93.0 (inc) to 2026.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-28433 is a vulnerability in Misskey servers running versions 10.93.0 and later, but prior to 2026.3.1. It arises from a lack of ownership validation when importing data, allowing an attacker to import other users' data by exploiting insufficient authorization checks related to file IDs."}, {'type': 'paragraph', 'content': 'Specifically, the system does not properly verify whether the user owns the resource identified by the file ID, enabling unauthorized data importation. This is classified as an authorization bypass vulnerability.'}, {'type': 'paragraph', 'content': 'The vulnerability is considered low severity because exploitation requires knowledge of the target file ID, and the impact on confidentiality is limited.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with limited privileges to import data belonging to other users without proper authorization.
The impact is relatively low since the attacker needs to know the specific file ID to exploit the vulnerability, and the unauthorized data disclosure is limited.
There is no impact on data integrity or availability, and no user interaction is required for exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are strongly advised to update Misskey servers to version 2026.3.1 or later, where the issue is fixed.
As a workaround for users on Misskey version 2024.9.0 or later, it is possible to disable the importing function via role policy settings to reduce risk.