CVE-2026-28433
CVE-2026-28433 is a medium-severity vulnerability in Misskey with a CVSS 3.x base score of 4.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-639.
Key facts
- Severity: Medium (CVSS 3.x base score 4.3)
- CVSS v4: 2.3
- EPSS exploit prediction: 0% (13th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-10369
- Weakness: CWE-639
- Affected product: Misskey
- Published:
- Last modified:
Description
Misskey is an open source, federated social media platform. All Misskey servers running versions 10.93.0 and later, but prior to 2026.3.1, contain a vulnerability that allows importing other users' data due to lack of ownership validation. The impact of this vulnerability is estimated to be relatively low, as bad actors would require the ID corresponding to the target file for import. This vulnerability is fixed in 2026.3.1.
Frequently asked questions
- What is CVE-2026-28433?
- Misskey is an open source, federated social media platform. All Misskey servers running versions 10.93.0 and later, but prior to 2026.3.1, contain a vulnerability that allows importing other users' data due to lack of ownership validation. The impact of this vulnerability is estimated to be relatively low, as bad actors would require the ID corresponding to the target file for import. This vulnerability is fixed in 2026.3.1.
- How severe is CVE-2026-28433?
- CVE-2026-28433 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2026-28433 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (13th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-28433?
- CVE-2026-28433 affects Misskey. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-28433?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-28433 have an EU (EUVD) identifier?
- Yes. CVE-2026-28433 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-10369.
- When was CVE-2026-28433 published?
- CVE-2026-28433 was published on 2026-03-10 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*
More vulnerabilities in Misskey
- CVE-2025-25306 — Critical (CVSS 9.3): Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate…
- CVE-2024-52591 — Critical (CVSS 9.3): Misskey is an open source, federated social media platform. In affected versions missing validation in…
- CVE-2023-49079 — Critical (CVSS 9.3): Misskey is an open source, decentralized social media platform. Misskey's missing signature validation allows arbitrary…
- CVE-2023-52139 — Critical (CVSS 9.0): Misskey is an open source, decentralized social media platform. Third-party applications may be able to access some…
- CVE-2023-24812 — High (CVSS 8.8): Misskey is an open source, decentralized social media platform. In versions prior to 13.3.3 SQL injection is possible…
- CVE-2025-24897 — High (CVSS 8.2): Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version…
Other CWE-639 (Authorization Bypass Through User-Controlled Key (IDOR)) vulnerabilities
- CVE-2025-40805 — Critical (CVSS 10.0): Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an…
- CVE-2024-45032 — Critical (CVSS 10.0): A vulnerability has been identified in Industrial Edge Management Pro (All versions < V1.9.5), Industrial Edge…
- CVE-2026-34037 — Critical (CVSS 9.9): Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to…
- CVE-2026-52782 — Critical (CVSS 9.9): OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through…
- CVE-2026-45552 — Critical (CVSS 9.9): Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior,…
- CVE-2026-29200 — Critical (CVSS 9.9): A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and…
Browse all CWE-639 (Authorization Bypass Through User-Controlled Key (IDOR)) vulnerabilities →