Misskey is a federated social media platform that allows users to share and import data across servers. Versions 10.93.0 through 2026.3.0 contain a vulnerability (CVE-2026-28433) where the system fails to properly validate ownership when importing user data files. Specifically, the authorization mechanism does not verify that the user requesting an import owns or is permitted to access the target file identified by a user-controlled key (file ID). This flaw stems from CWE-639, which involves authorization bypass through user-controlled keys, and CWE-862, which relates to missing authorization checks. An attacker with at least limited privileges and knowledge of the file ID can import data belonging to other users, potentially exposing private or sensitive information. However, the impact is mitigated by the requirement to know the exact file ID, which is not trivially guessable. The vulnerability does not require user interaction but does require some authentication, limiting remote anonymous exploitation. The issue was publicly disclosed on March 9, 2026, and patched in Misskey version 2026.3.1. The CVSS v4.0 vector indicates network attack vector, low attack complexity, partial privileges required, no user interaction, and low impact on confidentiality, integrity, and availability.

The primary impact of this vulnerability is unauthorized access to other users' data through improper import operations. This could lead to privacy violations and potential leakage of sensitive user information within the Misskey federated social media ecosystem. Although the severity is low, organizations running vulnerable Misskey instances risk reputational damage and loss of user trust if data is improperly accessed. Since Misskey is federated, compromised data could propagate across interconnected servers, amplifying the impact. The requirement for the attacker to know the file ID reduces the likelihood of widespread exploitation but does not eliminate targeted attacks. No direct impact on system availability or integrity is indicated, but confidentiality breaches remain a concern. The vulnerability does not appear to enable privilege escalation or remote code execution.

Organizations should upgrade all Misskey instances to version 2026.3.1 or later immediately to apply the official patch that enforces proper ownership validation during data import. Until patched, administrators should restrict access to import functionality to trusted users only and monitor logs for suspicious import requests involving unknown file IDs. Implementing additional access controls or rate limiting on import APIs can reduce exploitation risk. It is also advisable to audit existing imported data for unauthorized entries and notify affected users if data exposure is suspected. Federated servers should coordinate to ensure all nodes are updated to prevent cross-server data leakage. Finally, security teams should educate users about the importance of safeguarding file identifiers and credentials to limit information disclosure that could facilitate exploitation.