CVE-2026-39386

High

Published: 21 April 2026

Published

21 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 13.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39386 is a high-severity Improper Input Validation (CWE-20) vulnerability in M1K1O Neko. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Employs the principle of least privilege to restrict authenticated users to only necessary permissions, directly preventing escalation to full administrative control.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, blocking improper privilege escalation and authorization bypass via endpoints like /api/profile.

AC-2 Account Management partial match

prevent

Manages accounts to limit authentication to trusted users and review privileges, reducing the pool of potential exploiters as recommended in mitigations.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The CVE describes a post-authentication privilege escalation vulnerability due to improper access control and authorization bypass, directly enabling adversaries to exploit software flaws for gaining higher (administrative) privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room…

settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance. The vulnerability has been patched in v3.0.11 and v3.1.2. If upgrading is not immediately possible, the following mitigations can reduce risk: Restrict access to trusted users only (avoid granting accounts to untrusted parties); ensure all user passwords are strong and only shared with trusted individuals; run the instance only when needed; avoid leaving it continuously exposed; place the instance behind authentication layers such as a reverse proxy with additional access controls; disable or restrict access to the /api/profile endpoint if feasible; and/or monitor for suspicious privilege changes or unexpected administrative actions. Note that these are temporary mitigations and do not fully eliminate the vulnerability. Upgrading is strongly recommended.

Deeper analysisAI

CVE-2026-39386 is a privilege escalation vulnerability affecting Neko, a self-hosted virtual browser that runs in Docker and uses WebRTC. In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control over the entire Neko instance. This flaw, published on 2026-04-21, is associated with CWEs including CWE-20 (Improper Input Validation), CWE-269 (Improper Privilege Management), CWE-284 (Improper Access Control), CWE-639 (Authorization Bypass Through User-Controlled Key), and CWE-862 (Missing Authorization), and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by any low-privileged authenticated user with network access to the Neko instance, requiring no user interaction. Successful exploitation grants complete administrative privileges, enabling attackers to manage members, configure room settings, control broadcasts, terminate sessions, and perform other actions that result in full compromise of the instance.

Patches are available in Neko versions v3.0.11 and v3.1.2, as detailed in the project's release notes and security advisory (GHSA-2gw9-c2r2-f5qf). Upgrading is strongly recommended. As temporary mitigations until patching is feasible, advisories suggest restricting access to trusted users only, enforcing strong passwords shared solely with trusted parties, running the instance only when needed rather than continuously exposing it, placing it behind additional authentication layers like a reverse proxy, disabling or restricting the /api/profile endpoint if possible, and monitoring for suspicious privilege changes or administrative actions; however, these do not fully eliminate the risk.

Details

CWE(s): CWE-20 CWE-269 CWE-284 CWE-639 CWE-862

Affected Products

m1k1o

neko

3.0.0 — 3.0.11 · 3.1.0 — 3.1.2

CVEs Like This One

CVE-2026-30926Shared CWE-284, CWE-862

CVE-2025-70983Shared CWE-284, CWE-862

CVE-2026-40317Shared CWE-20, CWE-269

CVE-2025-52347Shared CWE-20, CWE-269

CVE-2026-30769Shared CWE-20, CWE-269

CVE-2026-40474Shared CWE-284, CWE-862

CVE-2026-5141Shared CWE-269, CWE-284

CVE-2026-27591Shared CWE-284, CWE-639

CVE-2024-55954Shared CWE-269, CWE-284

CVE-2025-54914Shared CWE-284

References

https://github.com/m1k1o/neko/releases/tag/v3.0.11
Product · security-advisories@github.com
https://github.com/m1k1o/neko/releases/tag/v3.1.2
Product · security-advisories@github.com
https://github.com/m1k1o/neko/security/advisories/GHSA-2gw9-c2r2-f5qf
Mitigation, Vendor Advisory · security-advisories@github.com