CVE-2026-39386
Received Received - Intake
Privilege Escalation in Neko Virtual Browser Allows Full Admin Access

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance. The vulnerability has been patched in v3.0.11 and v3.1.2. If upgrading is not immediately possible, the following mitigations can reduce risk: Restrict access to trusted users only (avoid granting accounts to untrusted parties); ensure all user passwords are strong and only shared with trusted individuals; run the instance only when needed; avoid leaving it continuously exposed; place the instance behind authentication layers such as a reverse proxy with additional access controls; disable or restrict access to the /api/profile endpoint if feasible; and/or monitor for suspicious privilege changes or unexpected administrative actions. Note that these are temporary mitigations and do not fully eliminate the vulnerability. Upgrading is strongly recommended.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39386
EUVD
EUVD-2026-24027
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
m1k1o neko From 3.0.0 (inc) to 3.0.11 (exc)
m1k1o neko From 3.1.0 (inc) to 3.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39386 is a high-severity privilege escalation vulnerability in the Neko self-hosted virtual browser software versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1. It allows any authenticated user to immediately gain full administrative control over the entire Neko instance.

This means an attacker with any user account can manage members, change room settings, control broadcasts, terminate sessions, and fully compromise the instance.

The vulnerability is caused by multiple weaknesses including improper input validation, improper privilege management, improper access control, authorization bypass through user-controlled keys, and missing authorization checks.

Impact Analysis

This vulnerability can lead to a complete compromise of your Neko instance if exploited.

  • An attacker can gain full administrative control, allowing them to manage users, alter room settings, control broadcasts, and terminate sessions.
  • Confidentiality, integrity, and availability of the system are all highly impacted.

Such a compromise could disrupt your services, expose sensitive data, and allow unauthorized actions within your environment.

Detection Guidance

This vulnerability allows any authenticated user to gain full administrative control over the Neko instance, including member management, room settings, broadcast control, and session termination.

To detect exploitation or attempts on your system, you should monitor for suspicious privilege changes or unexpected administrative actions within the Neko instance.

Specific commands are not provided in the available resources, but monitoring logs for unusual administrative activity or privilege escalations related to user accounts is recommended.

Mitigation Strategies

The vulnerability has been patched in Neko versions 3.0.11 and 3.1.2. Upgrading to these versions or later is strongly recommended as the primary mitigation.

  • Restrict access to trusted users only and avoid granting accounts to untrusted parties.
  • Ensure all user passwords are strong and only shared with trusted individuals.
  • Run the Neko instance only when needed and avoid leaving it continuously exposed.
  • Place the instance behind authentication layers such as a reverse proxy with additional access controls.
  • Disable or restrict access to the /api/profile endpoint if feasible.
  • Monitor for suspicious privilege changes or unexpected administrative actions.
Compliance Impact

This vulnerability allows any authenticated user to gain full administrative control over the entire Neko instance, leading to a complete compromise of confidentiality, integrity, and availability of the system.

Such a compromise can result in unauthorized access to sensitive data and administrative functions, which may violate compliance requirements under common standards and regulations like GDPR and HIPAA that mandate strict access controls and protection of personal and sensitive information.

Until the vulnerability is patched by upgrading to versions 3.0.11 or 3.1.2, the risk of unauthorized privilege escalation could lead to non-compliance with these regulations due to potential data breaches or unauthorized data manipulation.

Temporary mitigations can reduce risk but do not fully eliminate it, so relying on them may still leave an organization exposed to compliance violations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39386. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart