Skip to main content

Misskey CVE-2026-57574

| EUVDEUVD-2026-43041 HIGH
Authentication Bypass by Capture-replay (CWE-294)
2026-07-10 GitHub_M
7.4
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

Network replay against the login endpoint (AV:N, PR:N) but success requires concurrently capturing password and a live TOTP within one time step (AC:H) and relies on the victim's active authentication (UI:R); takeover yields C:H/I:H, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 22:02 EUVD
Analysis Generated
Jul 10, 2026 - 21:43 vuln.today

DescriptionCVE.org

Misskey is an open source, federated social media platform. Prior to 2026.6.0, Misskey contains a vulnerability in Time-based One-Time Password (TOTP) authentication in UserAuthService where insufficient validation of used tokens allows the reuse of a single-use code within its valid time step. If both credentials and a TOTP code are obtained concurrently, an attacker may reuse the code to perform unauthorized actions, potentially leading to account takeover. This issue is fixed in version 2026.6.0.

AnalysisAI

Authentication replay in Misskey before 2026.6.0 lets an attacker reuse a valid TOTP code that should be single-use, because UserAuthService fails to invalidate a code after its first successful use within the same time step. An adversary who concurrently captures a victim's password and one TOTP value can replay that code to authenticate, enabling unauthorized actions up to account takeover. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Phish or AitM-proxy victim login
Delivery
Capture password and live TOTP code
Exploit
Replay same TOTP within time step
Execution
Bypass single-use 2FA check
Persist
Establish authenticated session
Impact
Take over account

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to obtain the victim's password AND a valid TOTP code for the same account concurrently (e.g., via phishing, a reverse-proxy AitM kit, or interception), then replay that code within its single valid TOTP time step (~30 seconds) before it naturally expires. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 base score is 7.4 (High) with vector AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N, and the signals are internally consistent with a real but conditional threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has phished or intercepted a Misskey user's username, password, and the TOTP code they just entered (for example via a man-in-the-middle proxy or a malicious login page) replays that same still-valid 6-digit code against the login endpoint before the ~30-second time step expires. Because the code was not invalidated on first use, the second authentication succeeds and the attacker gains an authenticated session, enabling account takeover. …
Remediation Vendor-released patch: upgrade to Misskey 2026.6.0, which enforces single-use TOTP validation in UserAuthService; the fix corresponds to commits 00c6210a591db2b0be438740d05b82070fa68ac6 and d323fe00d04ac46ab0b4e66fce9169effaa8dfb7. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit all Misskey deployments to identify versions and assess exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-32983 HIGH POC
7.5 Jun 03

Misskey is an open source, decentralized microblogging platform. Rated high severity (CVSS 7.5), this vulnerability is r

CVE-2019-1020010 MEDIUM POC
6.1 Jul 29

Misskey before 10.102.4 allows hijacking a user's token. Rated medium severity (CVSS 6.1), this vulnerability is remotel

CVE-2023-24812 CRITICAL
9.8 Feb 22

Misskey is an open source, decentralized social media platform. Rated critical severity (CVSS 9.8), this vulnerability i

CVE-2023-52139 CRITICAL
9.6 Dec 29

Misskey is an open source, decentralized social media platform. Rated critical severity (CVSS 9.6), this vulnerability i

CVE-2025-46559 MEDIUM POC
5.4 May 05

Misskey is an open source, federated social media platform. Rated medium severity (CVSS 5.4), this vulnerability is remo

CVE-2024-52591 HIGH
8.8 Dec 18

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.8), this vulnerability is remote

CVE-2024-52590 HIGH
8.8 Dec 18

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.8), this vulnerability is remote

CVE-2024-25636 HIGH
8.8 Feb 19

Misskey is an open source, decentralized social media platform with ActivityPub support. Rated high severity (CVSS 8.8),

CVE-2025-24897 HIGH
8.2 Feb 11

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.2), this vulnerability is remote

CVE-2025-24896 HIGH
8.1 Feb 11

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.1), this vulnerability is remote

CVE-2026-28431 HIGH
7.5 Mar 10

Misskey is an open source, federated social media platform.

CVE-2026-28432 HIGH
7.5 Mar 10

federated social media platform. All Misskey server versions up to 2026.3.1 is affected by improper verification of cryp

Share

CVE-2026-57574 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy