Misskey is an open source, federated social media platform. Prior to 2026.6.0, Misskey contains a vulnerability in Time-based One-Time Password (TOTP) authentication in UserAuthService where insufficient validation of used tokens allows the reuse of a single-use code within its valid time step. If both credentials and a TOTP code are obtained concurrently, an attacker may reuse the code to perform unauthorized actions, potentially leading to account takeover. This issue is fixed in version 2026.6.0.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Fri, 10 Jul 2026 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Misskey is an open source, federated social media platform. Prior to 2026.6.0, Misskey contains a vulnerability in Time-based One-Time Password (TOTP) authentication in UserAuthService where insufficient validation of used tokens allows the reuse of a single-use code within its valid time step. If both credentials and a TOTP code are obtained concurrently, an attacker may reuse the code to perform unauthorized actions, potentially leading to account takeover. This issue is fixed in version 2026.6.0. | |
| Title | Misskey: TOTP tokens can be reused | |
| Weaknesses | CWE-294 | |
| References |
|
|
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-10T20:55:49.896Z
Reserved: 2026-06-24T18:49:56.208Z
Link: CVE-2026-57574
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses