Description

Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance. The vulnerability has been patched in v3.0.11 and v3.1.2. If upgrading is not immediately possible, the following mitigations can reduce risk: Restrict access to trusted users only (avoid granting accounts to untrusted parties); ensure all user passwords are strong and only shared with trusted individuals; run the instance only when needed; avoid leaving it continuously exposed; place the instance behind authentication layers such as a reverse proxy with additional access controls; disable or restrict access to the /api/profile endpoint if feasible; and/or monitor for suspicious privilege changes or unexpected administrative actions. Note that these are temporary mitigations and do not fully eliminate the vulnerability. Upgrading is strongly recommended.

INFO

Published Date :

2026-04-21T00:50:34.656Z

Last Modified :

2026-04-22T03:56:19.795Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-39386 vulnerability.

Vendors Products
M1k1o
  • Neko
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39386.

URL Resource
https://github.com/m1k1o/neko/releases/tag/v3.0.11 cve-icon cve-icon
https://github.com/m1k1o/neko/releases/tag/v3.1.2 cve-icon cve-icon
https://github.com/m1k1o/neko/security/advisories/GHSA-2gw9-c2r2-f5qf cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact