Server-Side Request Forgery Issue in Misskey by Misskey Developers
CVE-2026-57575
6.9MEDIUM
What is CVE-2026-57575?
Misskey, an open source federated social media platform, contains a vulnerability in its URL preview functionality found in UrlPreviewService. This Server-Side Request Forgery (SSRF) flaw allows an attacker to exploit the outgoing connections feature, enabling them to make HTTP requests to internal services. Because of inadequate network restrictions before this connection is established, the attacker can potentially target loopback, private, or link-local addresses. Although sensitive data is not thought to be exposed due to post-request IP validation, it is crucial for users to update to version 2026.6.0, where this issue has been resolved, to ensure their systems remain secure.
Affected Version(s)
misskey < 2026.6.0
