CVE-2026-57574
misskey-dev · misskey
Misskey is susceptible to an authentication bypass vulnerability due to improper handling of capture-replay scenarios.
Executive summary
An authentication bypass vulnerability in Misskey allows remote attackers to compromise accounts via capture-replay attacks, potentially leading to full account takeover.
Vulnerability
This is an authentication bypass vulnerability (CWE-294) resulting from a failure to correctly validate session or authentication tokens against capture-replay attempts. The attacker does not require prior authentication to attempt this exploit.
Business impact
With a CVSS score of 7.4, this vulnerability represents a significant threat to user account integrity. Successful exploitation could allow unauthorized actors to hijack user sessions, access private communications, and perform actions on behalf of legitimate users, severely damaging platform trust.
Remediation
Immediate Action: Upgrade the Misskey platform to version 2026.6.0 or later to implement the required replay protection mechanisms.
Proactive Monitoring: Review authentication logs for anomalous patterns, such as multiple successful logins from disparate geographical locations within short timeframes.
Compensating Controls: Enforce Multi-Factor Authentication (MFA) for all users, which may mitigate the impact of session-based bypass attempts.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The risk of authentication bypass poses a critical threat to the security of the Misskey federated social media platform. Administrators should apply the 2026.6.0 update immediately to ensure robust replay protection and prevent unauthorized account access.