SB2026042871 - Multiple vulnerabilities in Misskey

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-28432)

The vulnerability allows a remote attacker to bypass HTTP signature verification.

The vulnerability exists due to improper verification of cryptographic signature in HTTP signature verification when handling federation-related HTTP signatures. A remote attacker can send a specially crafted signed request to bypass HTTP signature verification.

The issue affects all servers regardless of whether federation is enabled or disabled.

2) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-28433)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to authorization bypass through a user-controlled key in the import function when importing data by file ID. A remote user can supply the ID corresponding to another user's file to disclose sensitive information.

Exploitation requires knowledge of the ID corresponding to the target file.

3) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-28431)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in authorization checks when handling requests for protected data. A remote user can access limited portions of data that they would not normally be able to access to disclose sensitive information.

This issue occurs regardless of whether federation is enabled.

Remediation

Install update from vendor's website.

References

• https://github.com/misskey-dev/misskey/security/advisories/GHSA-grwc-c762-gcvp
• https://github.com/misskey-dev/misskey/security/advisories/GHSA-g6hj-33h7-6fq8
• https://github.com/advisories/GHSA-g6hj-33h7-6fq8
• https://github.com/misskey-dev/misskey/security/advisories/GHSA-gg7j-c76w-8x3g