CVE-2026-57575
Received Received - Intake

SSRF in Misskey Prior to 2026.6.0

Vulnerability report for CVE-2026-57575, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Misskey is an open source, federated social media platform. Prior to 2026.6.0, Misskey contains a Server-Side Request Forgery (SSRF) vulnerability in URL preview functionality in UrlPreviewService. Due to missing network restrictions before establishing outbound connections, a remote attacker can cause the Misskey server to initiate HTTP requests to loopback, private, or link-local services. Because IP address validation takes place after the request has been sent and the process is subsequently rejected, no sensitive internal data is believed to be transmitted back or exposed to the attacker. This issue is fixed in version 2026.6.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
misskey misskey to 2026.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) issue found in the Misskey social media platform before version 2026.6.0. It occurs in the URL preview functionality of the UrlPreviewService. Because the system lacks network restrictions before making outbound HTTP requests, an attacker can trick the server into sending requests to internal network addresses such as loopback, private, or link-local services.

Although the server performs IP address validation after sending the request and rejects the process, it is believed that no sensitive internal data is exposed or transmitted back to the attacker.

Mitigation Strategies

The vulnerability is fixed in Misskey version 2026.6.0. The immediate step to mitigate this vulnerability is to upgrade the Misskey platform to version 2026.6.0 or later.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This SSRF vulnerability allows a remote attacker to make the Misskey server initiate HTTP requests to internal network services that are normally inaccessible externally. This could potentially be used to probe internal network infrastructure or services.

However, since the IP validation happens after the request is sent and the process is rejected, it is not believed that sensitive internal data is exposed or leaked to the attacker.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57575. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart