Server-Side Request Forgery Issue in Misskey by Misskey Developers
CVE-2026-57575

6.9MEDIUM

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-57575?

Misskey, an open source federated social media platform, contains a vulnerability in its URL preview functionality found in UrlPreviewService. This Server-Side Request Forgery (SSRF) flaw allows an attacker to exploit the outgoing connections feature, enabling them to make HTTP requests to internal services. Because of inadequate network restrictions before this connection is established, the attacker can potentially target loopback, private, or link-local addresses. Although sensitive data is not thought to be exposed due to post-request IP validation, it is crucial for users to update to version 2026.6.0, where this issue has been resolved, to ensure their systems remain secure.

Affected Version(s)

misskey < 2026.6.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.