Authorization bypass through user-controlled key in Misskey - CVE-2026-46712
Published: May 23, 2026
Vulnerability identifier: #VU132178
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-46712
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Misskey Development Division
Affected software:
Misskey
Misskey
Detailed vulnerability description
The vulnerability allows a remote user to disclose limited portions of direct message data.
The vulnerability exists due to authorization bypass through a user-controlled key in the Direct Messages feature when handling requests for direct message data. A remote user can access data they would not normally be permitted to view to disclose limited portions of direct message data.
This issue occurs regardless of whether federation is enabled. Notes created with specified visibility are not affected.
How to mitigate CVE-2026-46712
Install security update from vendor's website.