CVE-2026-39386

Name of the Vulnerable Software and Affected Versions Neko versions 3.0.0 through 3.0.10 Neko versions 3.1.0 through 3.1.1

Description An issue allows any authenticated user to obtain full administrative control of the Neko instance, including member management, room settings, broadcast control, and session termination. This leads to a complete compromise of the instance. The flaw is associated with the '/api/profile' endpoint.

Recommendations Update versions 3.0.0 through 3.0.10 to 3.0.11. Update versions 3.1.0 through 3.1.1 to 3.1.2. Restrict access to trusted users only. Ensure all user passwords are strong. Run the instance only when needed and avoid continuous exposure. Place the instance behind authentication layers such as a reverse proxy with additional access controls. Disable or restrict access to the '/api/profile' endpoint. Monitor for suspicious privilege changes or unexpected administrative actions.