CVE-2026-39386: Mass Assignment Privilege Escalation in Neko WebRTC Browser
Vulnerability ID: CVE-2026-39386
CVSS Score: 8.8
Published: 2026-04-21
CVE-2026-39386 is a high-severity mass assignment vulnerability in the Neko virtual browser system. It permits any authenticated user to elevate their privileges to full administrative control by injecting the is_admin boolean flag during a profile update request.
TL;DR
A mass assignment flaw in Neko's profile update API allows authenticated users to obtain admin privileges by submitting an is_admin: true JSON payload.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-269
- Attack Vector: Network
- CVSS Score: 8.8 (High)
- EPSS Score: 0.0012
- Impact: Total Instance Compromise
- Exploit Status: Proof of Concept
- Authentication: Required (Low Privilege)
Affected Systems
- Neko (m1k1o/neko)
-
Neko: 3.0.0 - 3.0.10 (Fixed in:
3.0.11) -
Neko: 3.1.0 - 3.1.1 (Fixed in:
3.1.2)
Code Analysis
Commit: c54bcf1
Fix Commit (v3.1.x)
Commit: 6b561fe
Fix Commit (v3.0.x)
Exploit Details
- GitHub Security Advisory: Advisory containing the vulnerability mechanism and conceptual proof of concept.
Mitigation Strategies
- Upgrade Neko to version 3.0.11, 3.1.2, or later.
- Restrict access to the Neko instance to trusted networks and users.
- Implement a reverse proxy rule to block POST/PUT requests to
/api/profileif patching is delayed. - Audit existing Neko user accounts for unauthorized administrative privileges.
Remediation Steps:
- Verify the current running version of the Neko Docker container.
- Update the Docker image tag in the deployment configuration (e.g.,
docker-compose.yml) tom1k1o/neko:3.1.2. - Pull the new image and recreate the container using
docker-compose up -d. - Review the list of users in the Neko administration panel to confirm no unauthorized accounts hold the 'Admin' role.
References
- GitHub Security Advisory GHSA-2gw9-c2r2-f5qf
- NVD CVE-2026-39386 Detail
- Fix Commit (v3.1.x)
- Fix Commit (v3.0.x)
- Project Releases v3.1.2
Read the full report for CVE-2026-39386 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)