Neko, Self-service Privilege Escalation, CVE-2026-39386 (High)

Listen to this Post

How CVE-2026-39386 Works

CVE-2026-39386 is a high‑severity privilege escalation vulnerability affecting Neko, a self‑hosted virtual browser that runs in Docker and uses WebRTC. The flaw is rooted in improper input validation (CWE‑20) and missing access controls (CWE‑269, CWE‑284, CWE‑639, CWE‑862) on the backend API. Specifically, the `/api/profile` endpoint lacks proper authorization checks. An authenticated user can send a crafted request to this endpoint that modifies internal user roles or administrative flags. Because the input is not adequately sanitized, the server accepts the forged payload and grants the attacker full administrative privileges.
The exploitation chain is straightforward: an attacker first obtains a legitimate authenticated session to any Neko instance—through a weak password, shared credentials, or a compromised account. With this session, the attacker directly calls the vulnerable API endpoints (e.g., /api/profile) to elevate their own role to “admin”. No further authentication or additional privileges are required. Once the attacker has admin rights, they can perform any administrative action: manage all members, change room settings, control broadcasts, terminate any session, and effectively take over the entire instance. The vulnerability is present in all versions from 3.0.0 up to (but not including) 3.0.11, and from the pseudo‑version `0.0.0-20250322225643-212bf8a60756` up to (but not including) 0.0.0-20260406184107-c54bcf1ee211. The exploit requires only a single authenticated HTTP request and can be performed via the web interface or the API, making it highly dangerous for any publicly exposed Neko instance.

dailycve form:

Platform: Neko
Version: 3.0.0–3.0.10 & 3.1.0–3.1.1
Vulnerability: Self‑service Privilege Escalation
Severity: High
date: 2026‑04‑21

Prediction: 2026‑04‑19

Analytics under heading What Undercode Say:

Check installed Neko version
docker ps --filter "name=neko" --format "table {{.Image}}"
docker exec neko-server cat /version.txt
List all users with admin privileges (vulnerable endpoint)
curl -X GET http://neko-instance/api/users -H "Cookie: session=<valid-session>"
Simulate privilege escalation attempt (for auditing)
curl -X POST http://neko-instance/api/profile \
-H "Content-Type: application/json" \
-H "Cookie: session=<valid-session>" \
-d '{"role":"admin"}'
Monitor access logs for suspicious /api/profile calls
tail -f /var/log/neko/access.log | grep "/api/profile"
Backup current configuration before upgrade
docker cp neko-server:/etc/neko/config.toml ./config_backup.toml

Exploit:

A valid session token is all that is required. The attacker sends a single POST request to `/api/profile` with a JSON payload that changes their `role` field to admin. The vulnerable backend accepts the request without re‑authenticating or validating the user’s current permissions. Immediately after, the attacker can list all users, terminate any session, modify room settings, and control broadcasts. Because the exploit is silent and does not require additional privileges, it can be executed from any low‑privileged account.

Protection from this CVE

  1. Upgrade immediately to Neko v3.0.11 or v3.1.2 or later.

2. If an upgrade is not possible:

  • Restrict access to the `/api/profile` endpoint via a reverse proxy (e.g., location /api/profile { deny all; }).
  • Place the instance behind an authentication layer (e.g., OAuth2 proxy, VPN) and allow only trusted users.
  • Monitor logs for unexpected `/api/profile` calls and abrupt role changes.
  • Enforce strong, unique passwords and disable sharing of accounts.

Impact

  • Complete administrative takeover: Any authenticated user can instantly gain full admin rights.
  • Total loss of confidentiality, integrity, and availability: The attacker can manage members, change room settings, control broadcasts, terminate any session, and effectively own the entire Neko instance.
  • No warning or additional privileges required: The exploit is silent and requires only a single API call.
  • Exposed instances are at high risk: Any Neko instance reachable from the internet with even a single low‑privileged account is immediately vulnerable.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top