CVE-2026-39386

HIGH EPSS 35.0%
Published Apr 21, 20262mo ago · Modified Jun 17, 20262w ago
8.8 CVSS 3.1
High
Find Similar
Published Apr 21, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance. The vulnerability has been patched in v3.0.11 and v3.1.2. If upgrading is not immediately possible, the following mitigations can reduce risk: Restrict access to trusted users only (avoid granting accounts to untrusted parties); ensure all user passwords are strong and only shared with trusted individuals; run the instance only when needed; avoid leaving it continuously exposed; place the instance behind authentication layers such as a reverse proxy with additional access controls; disable or restrict access to the /api/profile endpoint if feasible; and/or monitor for suspicious privilege changes or unexpected administrative actions. Note that these are temporary mitigations and do not fully eliminate the vulnerability. Upgrading is strongly recommended.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
35.0% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 5

CWE-20 Improper Input Validation Validation
CWE-269 Improper Privilege Management Authorization
CWE-284
CWE-639
CWE-862 Missing Authorization Authorization

Affected Products 2

VendorProductVersionRange
m1k1oneko*≥3.0.0  –  <3.0.11
m1k1oneko*≥3.1.0  –  <3.1.2

References 3

  • github.com https://github.com/m1k1o/neko/releases/tag/v3.0.11
    Product
  • github.com https://github.com/m1k1o/neko/releases/tag/v3.1.2
    Product
  • github.com https://github.com/m1k1o/neko/security/advisories/GHSA-2gw9-c2r2-f5qf
    MitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.