CVE-2026-57574
Received Received - Intake

Authentication Bypass via TOTP Reuse in Misskey

Vulnerability report for CVE-2026-57574, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Misskey is an open source, federated social media platform. Prior to 2026.6.0, Misskey contains a vulnerability in Time-based One-Time Password (TOTP) authentication in UserAuthService where insufficient validation of used tokens allows the reuse of a single-use code within its valid time step. If both credentials and a TOTP code are obtained concurrently, an attacker may reuse the code to perform unauthorized actions, potentially leading to account takeover. This issue is fixed in version 2026.6.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
misskey misskey to 2026.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-294 A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Misskey social media platform's Time-based One-Time Password (TOTP) authentication system prior to version 2026.6.0.

The issue is that the system does not properly validate used TOTP tokens, allowing a single-use code to be reused within its valid time window.

If an attacker obtains both the user's credentials and a valid TOTP code at the same time, they can reuse the code to perform unauthorized actions, potentially leading to account takeover.

Impact Analysis

This vulnerability can allow an attacker to reuse a single-use TOTP code to bypass authentication controls.

If the attacker has both the user's credentials and a valid TOTP code, they may perform unauthorized actions on the user's account.

This can lead to account takeover, compromising the security and privacy of the affected user.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Misskey to version 2026.6.0 or later, where the issue with TOTP token reuse has been fixed.

Additionally, ensure that credentials and TOTP codes are not exposed or obtained concurrently by unauthorized parties, as this could allow attackers to reuse single-use codes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57574. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart