CVE-2026-28431
Published: 10 March 2026
Summary
CVE-2026-28431 is a high-severity Improper Authorization (CWE-285) vulnerability in Misskey Misskey. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Documented procedures facilitate correct implementation and ongoing management of authorization decisions.
Periodic reviews identify and correct flaws in authorization decisions or enforcement.
The control's documentation requirement reduces improper authorization by ensuring only mission-justified actions bypass authentication.
Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data.
Explicitly mandates authorizing remote access types before permitting connections, directly mitigating improper authorization.
The control explicitly requires authorization of each wireless access type prior to permitting connections.
Mandating explicit authorization of mobile device connections reduces the risk of improper authorization decisions for system access.
Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of improper authorization in public-facing Misskey server directly enables T1190 for data access.
NVD Description
Misskey is an open source, federated social media platform. All Misskey servers running versions 8.45.0 and later, but prior to 2026.3.1, contain a vulnerability that allows bad actors access to data that they ordinarily wouldn't be able to access due…
more
to insufficient permission checks and proper input validation. This vulnerability occurs regardless of whether federation is enabled or not. This vulnerability could lead to a significant data breach. This vulnerability is fixed in 2026.3.1.
Deeper analysisAI
CVE-2026-28431 is a vulnerability in Misskey, an open-source federated social media platform, affecting all servers running versions 8.45.0 and later but prior to 2026.3.1. The flaw stems from insufficient permission checks and improper input validation, enabling bad actors to access data they would not normally be able to view. This issue occurs regardless of whether federation is enabled and is classified under CWE-285 (Improper Authorization), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation grants high confidentiality impact by exposing sensitive data, potentially resulting in significant data breaches on affected Misskey instances.
The vulnerability is fixed in Misskey version 2026.3.1. Additional details on the issue and mitigation are available in the GitHub security advisory at https://github.com/misskey-dev/misskey/security/advisories/GHSA-r33c-qg3g-v9cr.
Details
- CWE(s)