Main Vulnerability Database Vulnerabilities #VU128343

Authorization bypass through user-controlled key in Misskey - CVE-2026-28431

Published: April 28, 2026

Vulnerability identifier: #VU128343

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-28431

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Misskey Development Division

Affected software:
Misskey

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in authorization checks when handling requests for protected data. A remote user can access limited portions of data that they would not normally be able to access to disclose sensitive information.

This issue occurs regardless of whether federation is enabled.

How to mitigate CVE-2026-28431

Install security update from vendor's website.

Sources

https://github.com/misskey-dev/misskey/security/advisories/GHSA-gg7j-c76w-8x3g

Authorization bypass through user-controlled key in Misskey - CVE-2026-28431

Detailed vulnerability description

How to mitigate CVE-2026-28431

Sources

Please verify you're human