Vulnerability in TOTP Authentication of Misskey Platform
CVE-2026-57574
7.4HIGH
What is CVE-2026-57574?
Misskey, an open-source federated social media platform, has a vulnerability in its Time-based One-Time Password (TOTP) authentication process within UserAuthService. This flaw enables insufficient validation of used tokens, allowing an attacker to reuse a single-use code within its valid time window. If a user's credentials and a valid TOTP code are compromised simultaneously, the attacker may exploit this vulnerability to carry out unauthorized actions on the user's account, potentially leading to account takeover. This vulnerability has been addressed in version 2026.6.0.
Affected Version(s)
misskey < 2026.6.0
