Neko has a Self-service Privilege Escalation for Authenticated Users
GHSA-2gw9-c2r2-f5qf · CVE-2026-39386 · GO-2026-4960
Published · Modified
Description
Impact
Any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance.
Patches
The vulnerability has been patched in the following releases:
Users should upgrade to v3.0.11 or later (for the 3.0 branch) or v3.1.2 or later.
Workarounds
If upgrading is not immediately possible, the following mitigations can reduce risk:
- Restrict access to trusted users only (avoid granting accounts to untrusted parties)
- Run the instance only when needed; avoid leaving it continuously exposed
- Disable or restrict access to the
/api/profileendpoint if feasible - Monitor for suspicious privilege changes or unexpected administrative actions
Note: These are temporary mitigations and do not fully eliminate the vulnerability. Upgrading is strongly recommended.
Credits
Neko thanks @blitzkrieg-patch for responsibly disclosing this vulnerability and reaching out directly. This contribution helped strengthen the project, and the whole community benefits from it.
References
- WEB https://github.com/m1k1o/neko/security/advisories/GHSA-2gw9-c2r2-f5qf
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-39386
- WEB https://github.com/m1k1o/neko/commit/6b561feb9016badea99ae7305091c0ff55e1d114
- WEB https://github.com/m1k1o/neko/commit/c54bcf1ee211e28104a2bb6db59583a39c4a4d6e
- PACKAGE https://github.com/m1k1o/neko
- WEB https://github.com/m1k1o/neko/releases/tag/v3.0.11
- WEB https://github.com/m1k1o/neko/releases/tag/v3.1.2
Ready to move
Start Securing
Free, no credit card | First findings in minutes