Description
Misskey is an open source, federated social media platform. All Misskey servers running versions 8.45.0 and later, but prior to 2026.3.1, contain a vulnerability that allows bad actors access to data that they ordinarily wouldn't be able to access due to insufficient permission checks and proper input validation. This vulnerability occurs regardless of whether federation is enabled or not. This vulnerability could lead to a significant data breach. This vulnerability is fixed in 2026.3.1.
Published: 2026-03-09
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Patch Now
AI Analysis

Impact

Misskey servers running versions from 8.45.0 up to and including 2026.3.0 contain a flaw whereby insufficient permission checks and input validation allow an attacker to retrieve data they should not be able to access. The weakness is an authorization oversight, classified as CWE-285, and could lead to a significant data breach.

Affected Systems

All publicly accessible Misskey instances operated by misskey-dev that are running any version between 8.45.0 and 2026.3.0, inclusive. The vulnerability exists regardless of whether federation between instances is enabled.

Risk and Exploitability

The vulnerability is rated CVSS 9.2, indicating critical risk. However, the EPSS score is less than 1%, indicating a very low overall probability of exploitation at this time, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Potential exploitation would likely occur remotely via exposed HTTP API endpoints, allowing attackers to craft requests that bypass standard authorization checks. Because the flaw exists in all affected versions, any instance that has not been upgraded to 2026.3.1 or newer is potentially vulnerable.

Generated by OpenCVE AI on April 16, 2026 at 10:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Misskey installation to version 2026.3.1 or later, which includes the fix for the authorization flaw.
  • Verify that API endpoints for private and sensitive data enforce role‑based permissions and that no endpoint inadvertently leaks data when supplied with invalid or unexpected parameters.
  • Perform a review of access control configurations on the server, ensuring that users and external actors cannot retrieve data beyond their granted privileges.

Generated by OpenCVE AI on April 16, 2026 at 10:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Misskey
Misskey misskey
Vendors & Products Misskey
Misskey misskey

Mon, 09 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Misskey is an open source, federated social media platform. All Misskey servers running versions 8.45.0 and later, but prior to 2026.3.1, contain a vulnerability that allows bad actors access to data that they ordinarily wouldn't be able to access due to insufficient permission checks and proper input validation. This vulnerability occurs regardless of whether federation is enabled or not. This vulnerability could lead to a significant data breach. This vulnerability is fixed in 2026.3.1.
Title Misskey lacks proper authorization checks and input validation
Weaknesses CWE-285
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Misskey Misskey
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:47:51.022Z

Reserved: 2026-02-27T15:54:05.137Z

Link: CVE-2026-28431

cve-icon Vulnrichment

Updated: 2026-03-10T14:46:51.459Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T07:43:35.600

Modified: 2026-03-13T17:18:44.117

Link: CVE-2026-28431

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses