Main Vulnerability Database Vulnerabilities #VU128339

Missing Authorization in Misskey - CVE-2025-66402

Published: April 28, 2026

Vulnerability identifier: #VU128339

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-66402

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Misskey Development Division

Affected software:
Misskey

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to missing authorization in export data for favorites or clips when exporting previously added post URLs. A remote user can add private post URLs to favorites or clips and export the data to disclose sensitive information.

If private posts are pinned, their identifiers may be obtainable from the user page on the original server.

How to mitigate CVE-2025-66402

Install security update from vendor's website.

Sources

https://github.com/misskey-dev/misskey/security/advisories/GHSA-496g-mmpw-j9x3

Missing Authorization in Misskey - CVE-2025-66402

Detailed vulnerability description

How to mitigate CVE-2025-66402

Sources

Please verify you're human