Description
Misskey is an open source, federated social media platform. All Misskey servers prior to 2026.3.1 contain a vulnerability that allows bypassing HTTP signature verification. Although this is a vulnerability related to federation, it affects all servers regardless of whether federation is enabled or disabled. This vulnerability is fixed in 2026.3.1.
Published: 2026-03-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass via HTTP Signature Forgery
Action: Upgrade
AI Analysis

Impact

Misskey versions released before 2026.3.1 fail to properly validate HTTP signatures that secure federated communications. This flaw allows an attacker to forge or manipulate federated requests, causing the server to accept these requests as authentic. The consequence is that the compromised server could be tricked into processing malicious content or impersonating other instances, leading to integrity violations and potential misuse of user data.

Affected Systems

All Misskey installations operated by misskey-dev, specifically any server running a version earlier than 2026.3.1. The issue is independent of whether federation is enabled, so every server running the affected code base is susceptible.

Risk and Exploitability

The CVSS score for this vulnerability is 7.1, indicating a high level of severity. The EPSS score is less than 1%, suggesting that exploitation is currently considered unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely remote; an adversary can send forged signed federation messages that bypass the signature check, enabling unauthorized data injection or impersonation of other instances.

Generated by OpenCVE AI on April 16, 2026 at 10:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Misskey 2026.3.1 patch or newer to restore proper HTTP signature verification.
  • If an immediate upgrade is unavailable, temporarily disable federation endpoints or lock down federation traffic to eliminate the attack surface that the vulnerability exploits.
  • Maintain vigilant log monitoring for unexpected federation requests or anomalies, ensuring that any signed messages are correctly validated and that no illicit content is accepted.

Generated by OpenCVE AI on April 16, 2026 at 10:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Misskey
Misskey misskey
Vendors & Products Misskey
Misskey misskey

Mon, 09 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Misskey is an open source, federated social media platform. All Misskey servers prior to 2026.3.1 contain a vulnerability that allows bypassing HTTP signature verification. Although this is a vulnerability related to federation, it affects all servers regardless of whether federation is enabled or disabled. This vulnerability is fixed in 2026.3.1.
Title HTTP signature verification can be bypassed
Weaknesses CWE-347
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Misskey Misskey
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:45:12.846Z

Reserved: 2026-02-27T15:54:05.137Z

Link: CVE-2026-28432

cve-icon Vulnrichment

Updated: 2026-03-10T14:45:07.659Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T07:43:35.770

Modified: 2026-03-13T17:18:06.580

Link: CVE-2026-28432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses