CVE-2026-28431 CRITICAL

CVE-2026-28431: Misskey lacks proper authorization checks and input validation

Vendor Misskey-Dev
Product misskey
Weakness CWE-285
Published March 9, 2026
Last update March 10, 2026
View on NVD All CVEs

CVSS base score

9.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

01Description

Misskey is an open source, federated social media platform. All Misskey servers running versions 8.45.0 and later, but prior to 2026.3.1, contain a vulnerability that allows bad actors access to data that they ordinarily wouldn't be able to access due to insufficient permission checks and proper input validation. This vulnerability occurs regardless of whether federation is enabled or not. This vulnerability could lead to a significant data breach. This vulnerability is fixed in 2026.3.1.

Key dates

02Disclosure timeline

March 9, 2026 CVE published
March 10, 2026 Record updated