Back to overview

CVE-2026-57574

HIGH
7.4
CVSS 4.0
Description
Misskey is an open source, federated social media platform. Prior to 2026.6.0, Misskey contains a vulnerability in Time-based One-Time Password (TOTP) authentication in UserAuthService where insufficient validation of used tokens allows the reuse of a single-use code within its valid time step. If both credentials and a TOTP code are obtained concurrently, an attacker may reuse the code to perform unauthorized actions, potentially leading to account takeover. This issue is fixed in version 2026.6.0.

Metadata

CVE ID
CVE-2026-57574
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-24 18:49 UTC
Published
2026-07-10 20:55 UTC
Last updated
2026-07-10 20:55 UTC
Primary CWE
CWE-294
CWE-294: Authentication Bypass by Capture-replay
Vendor / Product
misskey-dev / misskey
Sources
cve.org  ·  NVD

Severity & Metrics

7.4 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
misskey-dev misskey < 2026.6.0
Weakness (CWE)
CWESourceDescription
CWE-294 cna CWE-294: Authentication Bypass by Capture-replay
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.4 HIGH 4.0 cna CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References (4)
Back to overview