CVE-2026-28431
Published: 10 March 2026
Summary
CVE-2026-28431 is a critical-severity Improper Authorization (CWE-285) vulnerability in Misskey Misskey. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-28431 is a vulnerability in Misskey, an open-source federated social media platform, affecting all servers running versions 8.45.0 and later but prior to 2026.3.1. The flaw stems from insufficient permission checks and improper input validation, enabling bad actors to access data they would not normally be able to view. This issue occurs regardless of whether federation is enabled and is classified under CWE-285 (Improper Authorization), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation grants high confidentiality impact by exposing sensitive data, potentially resulting in significant data breaches on affected Misskey instances.
The vulnerability is fixed in Misskey version 2026.3.1. Additional details on the issue and mitigation are available in the GitHub security advisory at https://github.com/misskey-dev/misskey/security/advisories/GHSA-r33c-qg3g-v9cr.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10365
Vulnerability details
Misskey is an open source, federated social media platform. All Misskey servers running versions 8.45.0 and later, but prior to 2026.3.1, contain a vulnerability that allows bad actors access to data that they ordinarily wouldn't be able to access due…
more
to insufficient permission checks and proper input validation. This vulnerability occurs regardless of whether federation is enabled or not. This vulnerability could lead to a significant data breach. This vulnerability is fixed in 2026.3.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of improper authorization in public-facing Misskey server directly enables T1190 for data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 requires enforcement of approved authorizations, directly addressing the insufficient permission checks that allow unauthorized data access in this CVE.
SI-10 mandates validation of information inputs, comprehensively mitigating the improper input validation exploited in this vulnerability.
SI-2 ensures timely identification, reporting, and correction of flaws like this improper authorization issue, enabling patching to version 2026.3.1.