Misskey vulnerable to improper authorization when accessing with third-party application
CVE-2023-52139
9.1CRITICAL
What is CVE-2023-52139?
The Misskey social media platform has an access control vulnerability that allows unauthorized third-party applications to exploit certain endpoints or Websocket APIs. This flaw permits these applications to perform actions such as reading or adding non-public content without user authorization. Consequently, if the authenticated user is an administrator, sensitive information—including object storage secret keys and SMTP server passwords—may be leaked. Additionally, general users may create invitation codes without permission and disclose private user information. This vulnerability has been addressed in version 2023.12.1.
Affected Version(s)
misskey < 2023.12.1
