Cyber Resilience

CVE-2026-28431

Critical

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0025 16.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28431 is a critical-severity Improper Authorization (CWE-285) vulnerability in Misskey Misskey. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28431 is a vulnerability in Misskey, an open-source federated social media platform, affecting all servers running versions 8.45.0 and later but prior to 2026.3.1. The flaw stems from insufficient permission checks and improper input validation, enabling bad actors to access data they would not normally be able to view. This issue occurs regardless of whether federation is enabled and is classified under CWE-285 (Improper Authorization), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation grants high confidentiality impact by exposing sensitive data, potentially resulting in significant data breaches on affected Misskey instances.

The vulnerability is fixed in Misskey version 2026.3.1. Additional details on the issue and mitigation are available in the GitHub security advisory at https://github.com/misskey-dev/misskey/security/advisories/GHSA-r33c-qg3g-v9cr.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Misskey is an open source, federated social media platform. All Misskey servers running versions 8.45.0 and later, but prior to 2026.3.1, contain a vulnerability that allows bad actors access to data that they ordinarily wouldn't be able to access due…

more

to insufficient permission checks and proper input validation. This vulnerability occurs regardless of whether federation is enabled or not. This vulnerability could lead to a significant data breach. This vulnerability is fixed in 2026.3.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated exploitation of improper authorization in public-facing Misskey server directly enables T1190 for data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28432Same product: Misskey Misskey
CVE-2025-25306Same product: Misskey Misskey
CVE-2025-24897Same product: Misskey Misskey
CVE-2025-24896Same product: Misskey Misskey
CVE-2025-11521Shared CWE-285
CVE-2025-49701Shared CWE-285
CVE-2026-22022Shared CWE-285
CVE-2026-25809Shared CWE-285
CVE-2023-53895Shared CWE-285
CVE-2026-34320Shared CWE-285

Affected Assets

misskey
misskey
8.45.0 — 2026.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations, directly addressing the insufficient permission checks that allow unauthorized data access in this CVE.

prevent

SI-10 mandates validation of information inputs, comprehensively mitigating the improper input validation exploited in this vulnerability.

preventrecover

SI-2 ensures timely identification, reporting, and correction of flaws like this improper authorization issue, enabling patching to version 2026.3.1.

References