GHSA-2GW9-C2R2-F5QF

Vulnerability from github – Published: 2026-04-21 17:24 – Updated: 2026-04-21 17:24
VLAI?
Summary
Neko has a Self-service Privilege Escalation for Authenticated Users
Details

Impact

Any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance.

Patches

The vulnerability has been patched in the following releases:

Users should upgrade to v3.0.11 or later (for the 3.0 branch) or v3.1.2 or later.

Workarounds

If upgrading is not immediately possible, the following mitigations can reduce risk:

  • Restrict access to trusted users only (avoid granting accounts to untrusted parties)
  • Run the instance only when needed; avoid leaving it continuously exposed
  • Disable or restrict access to the /api/profile endpoint if feasible
  • Monitor for suspicious privilege changes or unexpected administrative actions

Note: These are temporary mitigations and do not fully eliminate the vulnerability. Upgrading is strongly recommended.

Credits

Neko thanks @blitzkrieg-patch for responsibly disclosing this vulnerability and reaching out directly. This contribution helped strengthen the project, and the whole community benefits from it.

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/m1k1o/neko/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/m1k1o/neko/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-20250322225643-212bf8a60756"
            },
            {
              "fixed": "0.0.0-20260406184107-c54bcf1ee211"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-269",
      "CWE-284",
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-21T17:24:42Z",
    "nvd_published_at": "2026-04-21T01:16:06Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAny authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance.\n\n### Patches\n\nThe vulnerability has been patched in the following releases:\n\n- [v3.0.11](https://github.com/m1k1o/neko/releases/tag/v3.0.11) (backport release)\n- [v3.1.2](https://github.com/m1k1o/neko/releases/tag/v3.1.2) (latest stable release)\n\nUsers should upgrade to [v3.0.11](https://github.com/m1k1o/neko/releases/tag/v3.0.11) or later (for the 3.0 branch) or [v3.1.2](https://github.com/m1k1o/neko/releases/tag/v3.1.2) or later.\n\n### Workarounds\n\nIf upgrading is not immediately possible, the following mitigations can reduce risk:\n\n- Restrict access to trusted users only (avoid granting accounts to untrusted parties)\n- Run the instance only when needed; avoid leaving it continuously exposed\n- Disable or restrict access to the `/api/profile` endpoint if feasible\n- Monitor for suspicious privilege changes or unexpected administrative actions\n\nNote: These are temporary mitigations and do not fully eliminate the vulnerability. Upgrading is strongly recommended.\n\n### Credits\nNeko thanks @blitzkrieg-patch for responsibly disclosing this vulnerability and reaching out directly. This contribution helped strengthen the project, and the whole community benefits from it.",
  "id": "GHSA-2gw9-c2r2-f5qf",
  "modified": "2026-04-21T17:24:42Z",
  "published": "2026-04-21T17:24:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/m1k1o/neko/security/advisories/GHSA-2gw9-c2r2-f5qf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39386"
    },
    {
      "type": "WEB",
      "url": "https://github.com/m1k1o/neko/commit/6b561feb9016badea99ae7305091c0ff55e1d114"
    },
    {
      "type": "WEB",
      "url": "https://github.com/m1k1o/neko/commit/c54bcf1ee211e28104a2bb6db59583a39c4a4d6e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/m1k1o/neko"
    },
    {
      "type": "WEB",
      "url": "https://github.com/m1k1o/neko/releases/tag/v3.0.11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/m1k1o/neko/releases/tag/v3.1.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Neko has a Self-service Privilege Escalation for Authenticated Users"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.