What is the CVSS score of CVE-2026-28432?

CVE-2026-28432 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Misskey are affected by CVE-2026-28432?

A cryptographic signature verification flaw in Misskey federated social media platform versions up to 2026.3.1 allows attackers to forge or bypass authentication mechanisms, potentially enabling…

How to fix or mitigate CVE-2026-28432?

Within 24 hours: Inventory all Misskey instances in use and confirm affected versions; enable enhanced logging for authentication and federation events. Within 7 days: Implement network-level monitoring for suspicious federation traffic; restrict federation connections to trusted instances only; disable public federation if operationally feasible. Within 30 days: Monitor vendor advisories for patch availability; prepare deployment plan for emergency patching; conduct security audit of federated connections and user account activity for indicators of compromise.

Misskey CVE-2026-28432

HIGH

Improper Verification of Cryptographic Signature (CWE-347)

2026-03-10 security-advisories@github.com

Authentication Bypass Misskey

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Mar 10, 2026 - 07:43 nvd

HIGH 7.5

DescriptionGitHub Advisory

Misskey is an open source, federated social media platform. All Misskey servers prior to 2026.3.1 contain a vulnerability that allows bypassing HTTP signature verification. Although this is a vulnerability related to federation, it affects all servers regardless of whether federation is enabled or disabled. This vulnerability is fixed in 2026.3.1.

AnalysisAI

federated social media platform. All Misskey server versions up to 2026.3.1 is affected by improper verification of cryptographic signature.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft HTTP request with forged signature

Exploit

Send to Misskey federation endpoint

Execution

Bypass signature verification

Impact

Inject malicious federated content

Access

Craft HTTP request with forged signature

Exploit

Send to Misskey federation endpoint

Execution

Bypass signature verification

Impact

Inject malicious federated content

Vulnerability AssessmentAI

Exploitation	Misskey server version prior to 2026.3.1. … Additional conditions and limiting factors are described in the full assessment.
Exploit Scenario	An attacker could exploit this vulnerability to compromise the affected system.
Remediation	Fixed in version 2026.3.1.. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Misskey instances in use and confirm affected versions; enable enhanced logging for authentication and federation events. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-28432 vulnerability details – vuln.today

Back

Misskey CVE-2026-28432

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code