Description
Misskey is an open source, federated social media platform. All Misskey servers running versions 10.93.0 and later, but prior to 2026.3.1, contain a vulnerability that allows importing other users' data due to lack of ownership validation. The impact of this vulnerability is estimated to be relatively low, as bad actors would require the ID corresponding to the target file for import. This vulnerability is fixed in 2026.3.1.
Published: 2026-03-09
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Import
Action: Patch
AI Analysis

Impact

Misskey version 10.93.0 through 2026.3.0 lacks validation that an importing user owns the target data file. As a result, a user who knows the identifier of another user's data can submit an import request and the system will perform the import without checking ownership. The flaw is identified as CWE-639 and CWE-862. The vulnerability could enable the illicit import of personal data, but the need to know a specific file ID limits the potential impact, which is reflected in the CVSS score of 2.3.

Affected Systems

All instances of the Misskey platform deployed by the misskey-dev organization are affected. Specifically, any copy of Misskey running a release between 10.93.0 inclusive and 2026.3.0 inclusive is vulnerable. Versions 2026.3.1 and later contain the fix that enforces ownership checks during imports.

Risk and Exploitability

The probability of exploitation is considered low, with an EPSS score of less than 1% and no presence in the CISA KEV catalog. Exploitation requires prior knowledge of a valid data file identifier. When that condition is satisfied, the import operation succeeds, allowing the attacker to access or clone another user's data on the server.

Generated by OpenCVE AI on April 17, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Misskey 2026.3.1 or later, which implements ownership validation during data imports.
  • If an upgrade cannot be performed immediately, disable the public import endpoint or restrict it to trusted administrators only to eliminate the attack surface.
  • Monitor import logs for any anomalous activity and remove any data that may have been imported without proper authorization.

Generated by OpenCVE AI on April 17, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Misskey
Misskey misskey
Vendors & Products Misskey
Misskey misskey

Mon, 09 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Misskey is an open source, federated social media platform. All Misskey servers running versions 10.93.0 and later, but prior to 2026.3.1, contain a vulnerability that allows importing other users' data due to lack of ownership validation. The impact of this vulnerability is estimated to be relatively low, as bad actors would require the ID corresponding to the target file for import. This vulnerability is fixed in 2026.3.1.
Title Misskey lacks resource ownership validation
Weaknesses CWE-639
CWE-862
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Misskey Misskey
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:44:15.691Z

Reserved: 2026-02-27T15:54:05.138Z

Link: CVE-2026-28433

cve-icon Vulnrichment

Updated: 2026-03-10T14:44:04.804Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T07:43:35.907

Modified: 2026-03-13T17:17:07.587

Link: CVE-2026-28433

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:00:11Z

Weaknesses