Vulnerability in TOTP Authentication of Misskey Platform
CVE-2026-57574

7.4HIGH

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-57574?

Misskey, an open-source federated social media platform, has a vulnerability in its Time-based One-Time Password (TOTP) authentication process within UserAuthService. This flaw enables insufficient validation of used tokens, allowing an attacker to reuse a single-use code within its valid time window. If a user's credentials and a valid TOTP code are compromised simultaneously, the attacker may exploit this vulnerability to carry out unauthorized actions on the user's account, potentially leading to account takeover. This vulnerability has been addressed in version 2026.6.0.

Affected Version(s)

misskey < 2026.6.0

References

CVSS V4

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.