Misskey Export of Private Post Data Vulnerability

A vulnerability in Misskey allows users to export private posts that they do not have permission to view. This issue affects Misskey versions 13.0.0-beta.16 prior to 2025.12.0. The vulnerability arises because users can add private posts (from followers or direct messages) to their favorites or clips, and then export this data to access the contents of those private posts. The problem is exacerbated for posts pinned to the user's profile, as the IDs of these posts can be retrieved from the user page on the original server.

Impact

Exploitation of this vulnerability allows unauthorized access to private post content. Additionally, if private posts are pinned, their IDs can be obtained from the user's page on the original server, posing a further risk.

Reproduction

To reproduce this vulnerability, create two accounts on the same Misskey server: one for testing (Account X) and one for sending private posts (Account Y). From Account Y, send private posts to Account X using the 'Follow' and 'Nominate' features. Then, log into Account X, add these posts to favorites or clips, and export the data. The exported content will include the private posts from Account Y.

Remediation

Users can update to Misskey version 2025.12.0 or later to address this vulnerability.