SB2026052303 - Multiple vulnerabilities in Misskey
Published: May 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Improper Authorization (CVE-ID: CVE-2026-48115)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose limited portions of data.
The vulnerability exists due to improper authorization in Server Announcements API when handling requests. A remote user can send a request to disclose limited portions of data.
The issue occurs regardless of whether federation is enabled.
2) Uncontrolled Recursion (CVE-ID: CVE-2026-46714)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to uncontrolled recursion in theme compilation when applying a malformed theme. A remote user can supply a specially crafted theme to cause a denial of service.
User interaction is required to apply the crafted theme.
3) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-47746)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause integrity loss.
The vulnerability exists due to a time-of-check time-of-use race condition in JSON-LD signature validation and compaction process when processing JSON-LD activities. A remote attacker can submit specially crafted activities to cause integrity loss.
The issue occurs because the context used for JSON-LD parsing is not shared between signature verification and actual processing, which can result in fake activities being accepted as valid.
4) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-46713)
CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to spoof activities.
The vulnerability exists due to improper verification of cryptographic signature in the JSON-LD signature validation and compaction process when processing ActivityPub activities. A remote attacker can send a spoofed activity to spoof activities.
5) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-46712)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose limited portions of direct message data.
The vulnerability exists due to authorization bypass through a user-controlled key in the Direct Messages feature when handling requests for direct message data. A remote user can access data they would not normally be permitted to view to disclose limited portions of direct message data.
This issue occurs regardless of whether federation is enabled. Notes created with specified visibility are not affected.
Remediation
Install update from vendor's website.
References
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-j49q-76hx-mv8f
- https://github.com/misskey-dev/misskey/security/advisories
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-wmhf-m93m-rgmj
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-38jx-423m-g387
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-w8x2-gpq6-jxvf
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-2m3r-xx7x-63j6