{"id":"CVE-2024-52592","summary":"Missing validation allows spoofed poll updates in Misskey","details":"Misskey is an open source, federated social media platform. In affected versions missing validation in `ApInboxService.update` allows an attacker to modify the result of polls belonging to another user. No authentication is required, except for a valid signature from any actor on any remote instance. Vulnerable Misskey instances will accept spoofed updates for remote polls. Local polls are unaffected. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":["GHSA-5h8r-gq97-xv69"],"modified":"2026-04-10T05:12:21.745420Z","published":"2024-12-18T19:19:17.863Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52592.json","cwe_ids":["CWE-20"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52592.json"},{"type":"ADVISORY","url":"https://github.com/misskey-dev/misskey/security/advisories/GHSA-5h8r-gq97-xv69"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52592"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/misskey-dev/misskey","events":[{"introduced":"5f4a52574f9e023e10b447c41e886ccec7268642"},{"fixed":"a21a2c52d7c3cf75cf67e001e664cb083188e2b8"}],"database_specific":{"versions":[{"introduced":"10.92.1"},{"fixed":"2024.11.0-alpha.3"}]}}],"versions":["10.92.1","10.92.2","10.92.3","10.92.4","10.93.0","10.93.1","10.94.0","10.95.0","10.96.0","10.97.0","10.97.1","10.97.2","10.98.0","10.98.1","10.98.2","10.98.3","10.99.0","11.0.0-alpha.1","11.0.0-alpha.10","11.0.0-alpha.2","11.0.0-alpha.3","11.0.0-alpha.4","11.0.0-alpha.5","11.0.0-alpha.6","11.0.0-alpha.7","11.0.0-alpha.8","11.0.0-beta.1","11.0.0-beta.10","11.0.0-beta.11","11.0.0-beta.12","11.0.0-beta.13","11.0.0-beta.14","11.0.0-beta.15","11.0.0-beta.16","11.0.0-beta.2","11.0.0-beta.3","11.0.0-beta.4","11.0.0-beta.5","11.0.0-beta.6","11.0.0-beta.7","11.0.0-beta.8","11.0.0-beta.9","11.26.1","11.26.2","11.27.0","11.27.1","11.28.0","11.28.1","11.28.2","11.29.0","11.30.0","11.31.0","11.31.1","11.31.2","11.31.3","11.31.4","11.32.0","11.33.0","11.34.0","11.35.0","11.35.1","11.36.0","11.37.0","11.37.1","12.0.0","12.1.0","12.10.0","12.11.0","12.12.0","12.13.0","12.14.0","12.15.0","12.16.0","12.17.0","12.18.0","12.18.1","12.19.0","12.2.0","12.20.0","12.21.0","12.29.0","12.3.0","12.30.0","12.31.0","12.32.0","12.33.0","12.34.0","12.35.0","12.35.1","12.35.2","12.36.0","12.36.1","12.37.0","12.38.0","12.38.1","12.39.0","12.39.1","12.4.0","12.4.1","12.40.0","12.41.0","12.41.1","12.41.2","12.41.3","12.42.0","12.43.0","12.44.0","12.44.1","12.45.0","12.45.1","12.46.0","12.47.0","12.47.1","12.48.0","12.48.1","12.48.2","12.48.3","12.49.0","12.49.1","12.5.0","12.50.0","12.51.0","12.52.0","12.53.0","12.54.0","12.55.0","12.56.0","12.57.0","12.57.1","12.57.4","12.58.0","12.59.0","12.6.0","12.60.0","12.60.1","12.61.0","12.61.1","12.62.0","12.62.1","12.62.2","12.63.0","12.64.0","12.64.1","12.64.2","12.65.0","12.65.1","12.65.2","12.65.3","12.65.4","12.65.5","12.65.6","12.65.7","12.66.0","12.67.0","12.67.1","12.7.0","12.7.1","12.8.0","12.9.0","13.0.0-beta.16","13.0.0-beta.21","13.0.0-beta.22","13.0.0-beta.23","13.0.0-beta.24","13.0.0-beta.25","13.0.0-beta.26","13.0.0-beta.27","13.0.0-beta.28","13.0.0-beta.29","13.0.0-beta.30","13.0.0-beta.31","13.0.0-beta.32","13.0.0-beta.33","13.0.0-beta.34","13.0.0-beta.35","13.0.0-beta.36","13.0.0-beta.37","13.0.0-beta.38","13.0.0-beta.39","13.0.0-beta.40","13.0.0-beta.41","13.0.0-beta.42","13.0.0-beta.43","13.0.0-rc.1","13.0.0-rc.10","13.0.0-rc.11","13.0.0-rc.2","13.0.0-rc.3","13.0.0-rc.5","13.0.0-rc.6","13.0.0-rc.7","13.0.0-rc.8","13.0.0-rc.9","13.11.0-beta.4","13.11.0-beta.6","13.11.0-beta.7","13.11.0-beta.8","13.11.0.beta-1","13.11.0.beta-2","13.11.0.beta-3","13.12.0-beta.2","13.12.0-beta.3","13.12.0-beta.4","13.12.0-beta.5","13.12.0-beta.6","13.13.0-beta.1","13.13.0-beta.2","13.13.0-beta.3","13.13.0-beta.4","13.13.0-beta.5","13.13.0-beta.6","13.13.0-beta.7","13.14.0-beta.1","13.14.0-beta.2","13.14.0-beta.3","13.14.0-beta.4","13.14.0-beta.5","13.14.0-beta.6","13.14.0-beta.7","2023.10.0-beta.1","2023.10.0-beta.10","2023.10.0-beta.11","2023.10.0-beta.12","2023.10.0-beta.13","2023.10.0-beta.14","2023.10.0-beta.15","2023.10.0-beta.2","2023.10.0-beta.3","2023.10.0-beta.4","2023.10.0-beta.5","2023.10.0-beta.6","2023.10.0-beta.7","2023.10.0-beta.8","2023.10.0-beta.9","2023.10.2-beta.1","2023.10.2-beta.2","2023.11.0-beta.1","2023.11.0-beta.10","2023.11.0-beta.2","2023.11.0-beta.3","2023.11.0-beta.4","2023.11.0-beta.5","2023.11.0-beta.6","2023.11.0-beta.7","2023.11.0-beta.8","2023.11.0-beta.9","2023.11.1-beta.1","2023.11.1-beta.2","2023.12.0-beta.1","2023.12.0-beta.2","2023.12.0-beta.3","2023.12.0-beta.4","2023.12.0-beta.5","2023.12.0-beta.6","2023.9.0-beta.1","2023.9.0-beta.10","2023.9.0-beta.11","2023.9.0-beta.2","2023.9.0-beta.3","2023.9.0-beta.4","2023.9.0-beta.5","2023.9.0-beta.6","2023.9.0-beta.7","2023.9.0-beta.8","2023.9.0-beta.9","2023.9.0-rc.1","2023.9.0-rc.2","2023.9.0-rc.3","2023.9.0-rc.4","2024.10.0","2024.10.0-alpha.0","2024.10.0-alpha.1","2024.10.0-beta.2","2024.10.0-beta.3","2024.10.0-beta.4","2024.10.0-beta.5","2024.10.0-beta.6","2024.10.1","2024.10.1-alpha.0","2024.10.1-beta.1","2024.10.1-beta.2","2024.10.1-beta.3","2024.10.1-beta.4","2024.10.1-beta.5","2024.10.1-beta.6","2024.10.2-alpha.0","2024.10.2-alpha.1","2024.10.2-alpha.2","2024.11.0-alpha.1","2024.11.0-alpha.2","2024.2.0-beta.1","2024.2.0-beta.10","2024.2.0-beta.12","2024.2.0-beta.13","2024.2.0-beta.2","2024.2.0-beta.3","2024.2.0-beta.4","2024.2.0-beta.5","2024.2.0-beta.6","2024.2.0-beta.7","2024.2.0-beta.8","2024.2.0-beta.9","2024.7.0","2024.7.0-beta.0","2024.7.0-beta.1","2024.7.0-beta.2","2024.7.0-beta.3","2024.7.0-rc.4","2024.7.0-rc.5","2024.7.0-rc.6","2024.7.0-rc.7","2024.7.0-rc.8","2024.8.0","2024.8.0-alpha.0","2024.8.0-alpha.1","2024.8.0-beta.2","2024.8.0-rc.3","2024.8.0-rc.4","2024.8.0-rc.5","2024.9.0","2024.9.0-alpha.0","2024.9.0-alpha.1","2024.9.0-alpha.10","2024.9.0-alpha.11","2024.9.0-alpha.12","2024.9.0-alpha.13","2024.9.0-alpha.2","2024.9.0-alpha.3","2024.9.0-alpha.4","2024.9.0-alpha.5","2024.9.0-alpha.6","2024.9.0-alpha.7","2024.9.0-alpha.8","2024.9.0-alpha.9","2024.9.0-beta.14"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52592.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/syuilo/misskey","events":[{"introduced":"5f4a52574f9e023e10b447c41e886ccec7268642"},{"fixed":"551040ed0ff4bfabeb4c54df2fd1860d58bedd21"}],"database_specific":{"versions":[{"introduced":"10.92.1"},{"fixed":"2024.11.0"}]}}],"versions":["10.92.1","10.92.2","10.92.3","10.92.4","10.93.0","10.93.1","10.94.0","10.95.0","10.96.0","10.97.0","10.97.1","10.97.2","10.98.0","10.98.1","10.98.2","10.98.3","10.99.0","11.0.0-alpha.1","11.0.0-alpha.10","11.0.0-alpha.2","11.0.0-alpha.3","11.0.0-alpha.4","11.0.0-alpha.5","11.0.0-alpha.6","11.0.0-alpha.7","11.0.0-alpha.8","11.0.0-beta.1","11.0.0-beta.10","11.0.0-beta.11","11.0.0-beta.12","11.0.0-beta.13","11.0.0-beta.14","11.0.0-beta.15","11.0.0-beta.16","11.0.0-beta.2","11.0.0-beta.3","11.0.0-beta.4","11.0.0-beta.5","11.0.0-beta.6","11.0.0-beta.7","11.0.0-beta.8","11.0.0-beta.9","11.26.1","11.26.2","11.27.0","11.27.1","11.28.0","11.28.1","11.28.2","11.29.0","11.30.0","11.31.0","11.31.1","11.31.2","11.31.3","11.31.4","11.32.0","11.33.0","11.34.0","11.35.0","11.35.1","11.36.0","11.37.0","11.37.1","12.0.0","12.1.0","12.10.0","12.11.0","12.12.0","12.13.0","12.14.0","12.15.0","12.16.0","12.17.0","12.18.0","12.18.1","12.19.0","12.2.0","12.20.0","12.21.0","12.29.0","12.3.0","12.30.0","12.31.0","12.32.0","12.33.0","12.34.0","12.35.0","12.35.1","12.35.2","12.36.0","12.36.1","12.37.0","12.38.0","12.38.1","12.39.0","12.39.1","12.4.0","12.4.1","12.40.0","12.41.0","12.41.1","12.41.2","12.41.3","12.42.0","12.43.0","12.44.0","12.44.1","12.45.0","12.45.1","12.46.0","12.47.0","12.47.1","12.48.0","12.48.1","12.48.2","12.48.3","12.49.0","12.49.1","12.5.0","12.50.0","12.51.0","12.52.0","12.53.0","12.54.0","12.55.0","12.56.0","12.57.0","12.57.1","12.57.4","12.58.0","12.59.0","12.6.0","12.60.0","12.60.1","12.61.0","12.61.1","12.62.0","12.62.1","12.62.2","12.63.0","12.64.0","12.64.1","12.64.2","12.65.0","12.65.1","12.65.2","12.65.3","12.65.4","12.65.5","12.65.6","12.65.7","12.66.0","12.67.0","12.67.1","12.7.0","12.7.1","12.8.0","12.9.0","13.0.0-beta.16","13.0.0-beta.21","13.0.0-beta.22","13.0.0-beta.23","13.0.0-beta.24","13.0.0-beta.25","13.0.0-beta.26","13.0.0-beta.27","13.0.0-beta.28","13.0.0-beta.29","13.0.0-beta.30","13.0.0-beta.31","13.0.0-beta.32","13.0.0-beta.33","13.0.0-beta.34","13.0.0-beta.35","13.0.0-beta.36","13.0.0-beta.37","13.0.0-beta.38","13.0.0-beta.39","13.0.0-beta.40","13.0.0-beta.41","13.0.0-beta.42","13.0.0-beta.43","13.0.0-rc.1","13.0.0-rc.10","13.0.0-rc.11","13.0.0-rc.2","13.0.0-rc.3","13.0.0-rc.5","13.0.0-rc.6","13.0.0-rc.7","13.0.0-rc.8","13.0.0-rc.9","13.11.0-beta.4","13.11.0-beta.6","13.11.0-beta.7","13.11.0-beta.8","13.11.0.beta-1","13.11.0.beta-2","13.11.0.beta-3","13.12.0-beta.2","13.12.0-beta.3","13.12.0-beta.4","13.12.0-beta.5","13.12.0-beta.6","13.13.0-beta.1","13.13.0-beta.2","13.13.0-beta.3","13.13.0-beta.4","13.13.0-beta.5","13.13.0-beta.6","13.13.0-beta.7","13.14.0-beta.1","13.14.0-beta.2","13.14.0-beta.3","13.14.0-beta.4","13.14.0-beta.5","13.14.0-beta.6","13.14.0-beta.7","2023.10.0-beta.1","2023.10.0-beta.10","2023.10.0-beta.11","2023.10.0-beta.12","2023.10.0-beta.13","2023.10.0-beta.14","2023.10.0-beta.15","2023.10.0-beta.2","2023.10.0-beta.3","2023.10.0-beta.4","2023.10.0-beta.5","2023.10.0-beta.6","2023.10.0-beta.7","2023.10.0-beta.8","2023.10.0-beta.9","2023.10.2-beta.1","2023.10.2-beta.2","2023.11.0-beta.1","2023.11.0-beta.10","2023.11.0-beta.2","2023.11.0-beta.3","2023.11.0-beta.4","2023.11.0-beta.5","2023.11.0-beta.6","2023.11.0-beta.7","2023.11.0-beta.8","2023.11.0-beta.9","2023.11.1-beta.1","2023.11.1-beta.2","2023.12.0-beta.1","2023.12.0-beta.2","2023.12.0-beta.3","2023.12.0-beta.4","2023.12.0-beta.5","2023.12.0-beta.6","2023.9.0-beta.1","2023.9.0-beta.10","2023.9.0-beta.11","2023.9.0-beta.2","2023.9.0-beta.3","2023.9.0-beta.4","2023.9.0-beta.5","2023.9.0-beta.6","2023.9.0-beta.7","2023.9.0-beta.8","2023.9.0-beta.9","2023.9.0-rc.1","2023.9.0-rc.2","2023.9.0-rc.3","2023.9.0-rc.4","2024.10.0","2024.10.0-alpha.0","2024.10.0-alpha.1","2024.10.0-beta.2","2024.10.0-beta.3","2024.10.0-beta.4","2024.10.0-beta.5","2024.10.0-beta.6","2024.10.1","2024.10.1-alpha.0","2024.10.1-beta.1","2024.10.1-beta.2","2024.10.1-beta.3","2024.10.1-beta.4","2024.10.1-beta.5","2024.10.1-beta.6","2024.10.2-alpha.0","2024.10.2-alpha.1","2024.10.2-alpha.2","2024.11.0-alpha.1","2024.11.0-alpha.2","2024.11.0-alpha.3","2024.11.0-beta.4","2024.2.0-beta.1","2024.2.0-beta.10","2024.2.0-beta.12","2024.2.0-beta.13","2024.2.0-beta.2","2024.2.0-beta.3","2024.2.0-beta.4","2024.2.0-beta.5","2024.2.0-beta.6","2024.2.0-beta.7","2024.2.0-beta.8","2024.2.0-beta.9","2024.7.0","2024.7.0-beta.0","2024.7.0-beta.1","2024.7.0-beta.2","2024.7.0-beta.3","2024.7.0-rc.4","2024.7.0-rc.5","2024.7.0-rc.6","2024.7.0-rc.7","2024.7.0-rc.8","2024.8.0","2024.8.0-alpha.0","2024.8.0-alpha.1","2024.8.0-beta.2","2024.8.0-rc.3","2024.8.0-rc.4","2024.8.0-rc.5","2024.9.0","2024.9.0-alpha.0","2024.9.0-alpha.1","2024.9.0-alpha.10","2024.9.0-alpha.11","2024.9.0-alpha.12","2024.9.0-alpha.13","2024.9.0-alpha.2","2024.9.0-alpha.3","2024.9.0-alpha.4","2024.9.0-alpha.5","2024.9.0-alpha.6","2024.9.0-alpha.7","2024.9.0-alpha.8","2024.9.0-alpha.9","2024.9.0-beta.14"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52592.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}]}