{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28432", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:54:05.137Z", "datePublished": "2026-03-09T21:19:43.220Z", "dateUpdated": "2026-03-10T14:45:12.846Z"}, "containers": {"cna": {"title": "HTTP signature verification can be bypassed", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-grwc-c762-gcvp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-grwc-c762-gcvp"}], "affected": [{"vendor": "misskey-dev", "product": "misskey", "versions": [{"version": "< 2026.3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T21:19:43.220Z"}, "descriptions": [{"lang": "en", "value": "Misskey is an open source, federated social media platform. All Misskey servers prior to 2026.3.1 contain a vulnerability that allows bypassing HTTP signature verification. Although this is a vulnerability related to federation, it affects all servers regardless of whether federation is enabled or disabled. This vulnerability is fixed in 2026.3.1."}], "source": {"advisory": "GHSA-grwc-c762-gcvp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T14:45:02.558778Z", "id": "CVE-2026-28432", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:45:12.846Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28432", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T14:45:02.558778Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:45:07.659Z"}}], "cna": {"title": "HTTP signature verification can be bypassed", "source": {"advisory": "GHSA-grwc-c762-gcvp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "misskey-dev", "product": "misskey", "versions": [{"status": "affected", "version": "< 2026.3.1"}]}], "references": [{"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-grwc-c762-gcvp", "name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-grwc-c762-gcvp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Misskey is an open source, federated social media platform. All Misskey servers prior to 2026.3.1 contain a vulnerability that allows bypassing HTTP signature verification. Although this is a vulnerability related to federation, it affects all servers regardless of whether federation is enabled or disabled. This vulnerability is fixed in 2026.3.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T21:19:43.220Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28432", "state": "PUBLISHED", "dateUpdated": "2026-03-10T14:45:12.846Z", "dateReserved": "2026-02-27T15:54:05.137Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-09T21:19:43.220Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*", "matchCriteriaId": "5642C9AC-AF91-4ED8-ABEE-9D69A5E0D81A", "versionEndExcluding": "2026.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Misskey is an open source, federated social media platform. All Misskey servers prior to 2026.3.1 contain a vulnerability that allows bypassing HTTP signature verification. Although this is a vulnerability related to federation, it affects all servers regardless of whether federation is enabled or disabled. This vulnerability is fixed in 2026.3.1."}, {"lang": "es", "value": "Misskey es una plataforma de redes sociales de c\u00f3digo abierto y federada. Todos los servidores Misskey anteriores a 2026.3.1 contienen una vulnerabilidad que permite eludir la verificaci\u00f3n de firmas HTTP. Aunque esta es una vulnerabilidad relacionada con la federaci\u00f3n, afecta a todos los servidores independientemente de si la federaci\u00f3n est\u00e1 habilitada o deshabilitada. Esta vulnerabilidad est\u00e1 corregida en 2026.3.1."}], "id": "CVE-2026-28432", "lastModified": "2026-03-13T17:18:06.580", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T07:43:35.770", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-grwc-c762-gcvp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.3.1)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "misskey", "source": "cna", "vendor": "misskey-dev"}, "product": "misskey", "vendor": "misskey"}], "analysis": {"en": {"generated_at": "2026-04-16T10:10:37.681759+00:00", "value": {"mitigation_remediation": ["Apply the official Misskey 2026.3.1 patch or newer to restore proper HTTP signature verification.", "If an immediate upgrade is unavailable, temporarily disable federation endpoints or lock down federation traffic to eliminate the attack surface that the vulnerability exploits.", "Maintain vigilant log monitoring for unexpected federation requests or anomalies, ensuring that any signed messages are correctly validated and that no illicit content is accepted."], "summary": {"action": "Upgrade", "impact": "Authorization Bypass via HTTP Signature Forgery"}, "threat_synthesis": {"affected_systems": "All Misskey installations operated by misskey-dev, specifically any server running a version earlier than 2026.3.1. The issue is independent of whether federation is enabled, so every server running the affected code base is susceptible.", "description_and_impact": "Misskey versions released before 2026.3.1 fail to properly validate HTTP signatures that secure federated communications. This flaw allows an attacker to forge or manipulate federated requests, causing the server to accept these requests as authentic. The consequence is that the compromised server could be tricked into processing malicious content or impersonating other instances, leading to integrity violations and potential misuse of user data.", "risk_and_exploitability": "The CVSS score for this vulnerability is 7.1, indicating a high level of severity. The EPSS score is less than 1%, suggesting that exploitation is currently considered unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely remote; an adversary can send forged signed federation messages that bypass the signature check, enabling unauthorized data injection or impersonation of other instances."}}}}, "created": "2026-03-10T14:06:57.021606+00:00", "updated": "2026-04-16T10:15:26.110863+00:00", "vendors": ["misskey", "misskey$PRODUCT$misskey"]}