Improper Verification of Cryptographic Signature in Misskey - CVE-2023-49079
Published: November 25, 2023 / Updated: April 28, 2026
Vulnerability identifier: #VU128327
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-49079
CWE-ID: CWE-347
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Misskey
Misskey
Software vendor:
Misskey Development Division
Misskey Development Division
Description
The vulnerability allows a remote attacker to impersonate any remote user.
The vulnerability exists due to improper verification of cryptographic signature in inbox signature verification when processing ActivityPub server-to-server federation requests. A remote attacker can send a crafted request with spoofed signature-related headers to impersonate any remote user.
The issue occurs because only the HTTP message signature is validated, while headers such as Digest and Host are not properly validated.
Remediation
Install security update from vendor's website.