Auth bypass in Misskey-dev Misskey

CVE-2026-28431

Misskey is an open source, federated social media platform. All Misskey servers running versions 8.45.0 and later, but prior to 2026.3.1, contain a vulnerability that allows bad actors access to data that they ordinarily wouldn't be able t…

EPSS: 0.001 (15.9th percentile) — read the EPSS interpretation.

Affected products

Misskey-dev Misskey — versions >= 8.45.0, < 2026.3.1

Weakness classification (CWE)

CWE-285 — Improper Authorization

References

https://github.com/misskey-dev/misskey/security/advisories/GHSA-r33c-qg3g-v9cr (x_refsource_CONFIRM)