CVE-2026-39386
Privilege Escalation in Neko Virtual Browser Allows Full Admin Access
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| m1k1o | neko | From 3.0.0 (inc) to 3.0.11 (exc) |
| m1k1o | neko | From 3.1.0 (inc) to 3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39386 is a high-severity privilege escalation vulnerability in the Neko self-hosted virtual browser software versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1. It allows any authenticated user to immediately gain full administrative control over the entire Neko instance.
This means an attacker with any user account can manage members, change room settings, control broadcasts, terminate sessions, and fully compromise the instance.
The vulnerability is caused by multiple weaknesses including improper input validation, improper privilege management, improper access control, authorization bypass through user-controlled keys, and missing authorization checks.
How can this vulnerability impact me? :
This vulnerability can lead to a complete compromise of your Neko instance if exploited.
- An attacker can gain full administrative control, allowing them to manage users, alter room settings, control broadcasts, and terminate sessions.
- Confidentiality, integrity, and availability of the system are all highly impacted.
Such a compromise could disrupt your services, expose sensitive data, and allow unauthorized actions within your environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows any authenticated user to gain full administrative control over the Neko instance, including member management, room settings, broadcast control, and session termination.
To detect exploitation or attempts on your system, you should monitor for suspicious privilege changes or unexpected administrative actions within the Neko instance.
Specific commands are not provided in the available resources, but monitoring logs for unusual administrative activity or privilege escalations related to user accounts is recommended.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in Neko versions 3.0.11 and 3.1.2. Upgrading to these versions or later is strongly recommended as the primary mitigation.
- Restrict access to trusted users only and avoid granting accounts to untrusted parties.
- Ensure all user passwords are strong and only shared with trusted individuals.
- Run the Neko instance only when needed and avoid leaving it continuously exposed.
- Place the instance behind authentication layers such as a reverse proxy with additional access controls.
- Disable or restrict access to the /api/profile endpoint if feasible.
- Monitor for suspicious privilege changes or unexpected administrative actions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows any authenticated user to gain full administrative control over the entire Neko instance, leading to a complete compromise of confidentiality, integrity, and availability of the system.
Such a compromise can result in unauthorized access to sensitive data and administrative functions, which may violate compliance requirements under common standards and regulations like GDPR and HIPAA that mandate strict access controls and protection of personal and sensitive information.
Until the vulnerability is patched by upgrading to versions 3.0.11 or 3.1.2, the risk of unauthorized privilege escalation could lead to non-compliance with these regulations due to potential data breaches or unauthorized data manipulation.
Temporary mitigations can reduce risk but do not fully eliminate it, so relying on them may still leave an organization exposed to compliance violations.