Primary

Context

Misskey Data Import Vulnerability Due to Lack of Ownership Validation

Vulnerability

Patched

A vulnerability exists in Misskey, an open-source federated social media platform, in all servers running versions 10.93.0 and later, but prior to 2026.3.1. This vulnerability allows the import of other users' data without proper ownership validation. While the impact is considered relatively low, as malicious actors would need to know the ID of the target file to import it, the issue still poses a risk to user privacy.

Impact

Exploitation of this vulnerability could lead to unauthorized access and import of other users' data, potentially violating user privacy.

Remediation

Users can update to Misskey version 2026.3.1 or later, where this vulnerability has been fixed. For those using Misskey version 2024.9.0 or later, the importing function can be disabled via role policy as a temporary workaround.

Added: Mar 10, 2026, 7:50 AM

Updated: Mar 10, 2026, 7:50 AM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

5.0

remediation

8.3

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

5.0

remediation

8.3

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Misskey Data Import Vulnerability Due to Lack of Ownership Validation

Vulnerability

Impact

Remediation

Affected Products

Misskey

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating