Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.3
Misskey: Data is imported from other users without permission
CVE-2026-28433
Summary
Misskey servers running certain versions can import data from other users without permission. This could allow unauthorized access to sensitive information if a bad actor knows the target user's ID. Update to version 2026.3.1 to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| misskey | misskey | > 10.93.0 , <= 2026.3.1 | – |
Original title
Misskey is an open source, federated social media platform. All Misskey servers running versions 10.93.0 and later, but prior to 2026.3.1, contain a vulnerability that allows importing other users'...
Original description
Misskey is an open source, federated social media platform. All Misskey servers running versions 10.93.0 and later, but prior to 2026.3.1, contain a vulnerability that allows importing other users' data due to lack of ownership validation. The impact of this vulnerability is estimated to be relatively low, as bad actors would require the ID corresponding to the target file for import. This vulnerability is fixed in 2026.3.1.
nvd CVSS4.0
2.3
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
CWE-862
Missing Authorization
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026