Neko grants admin to any user (CVE-2026-39386)

Vendor-confirmed - CVE-2026-39386 is a high privilege escalation in Neko 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 that lets any authenticated standard user escalate to full administrative control. Upgrade to version 3.0.11 or 3.1.2 to patch.

Overview

A critical privilege escalation vulnerability in the Neko self-hosted virtual browser allows any user with a standard account to immediately obtain full administrative privileges. This flaw is present in versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1.

Vulnerability Details

Neko is a Docker-based virtual browser that uses WebRTC for remote access. The vulnerability, tracked as CVE-2026-39386 with a HIGH CVSS score of 8.8, resides in improper access controls. Any authenticated user, regardless of their assigned role, can exploit this to gain administrative control over the entire instance.

The attack is network-based, requires low complexity, and no user interaction, making it straightforward for an attacker with valid credentials.

Impact

Successful exploitation results in a complete compromise of the Neko instance. An attacker with a standard member account can:

• Take over member management (add, delete, or modify users).
• Alter all room and broadcast settings.
• Terminate active user sessions.
• Control all other administrative functions.

This grants an attacker the same level of access as the system administrator, potentially leading to unauthorized use of the virtual browser environment, data exposure, or service disruption.

Remediation and Mitigation

The primary and strongly recommended action is to upgrade to a patched version immediately.

• Patch: Upgrade to Neko version 3.0.11 (for the 3.0.x branch) or 3.1.2 (for the 3.1.x branch).

If upgrading is not immediately possible, apply these temporary mitigations to reduce risk. They do not eliminate the vulnerability.

• Restrict Access: Limit instance access to trusted users only.
• Strengthen Credentials: Ensure all user passwords are strong and unique.
• Limit Exposure: Run the instance only when needed and avoid leaving it continuously online.
• Add Defense Layers: Place the instance behind a reverse proxy with additional authentication (e.g., HTTP basic auth, IP whitelisting).
• Monitor: Watch logs for suspicious privilege changes or unexpected administrative actions.

Security Insight

This vulnerability highlights the persistent risk of broken access control, which remains a top issue in the OWASP Top 10. It underscores that self-hosted applications, even those containerized like Neko, require the same rigorous security review for authorization logic as traditional web applications. Similar flaws in admin panels have led to widespread compromises in other collaboration tools, emphasizing that the attack surface extends beyond the core application functionality to its management interfaces.

For more on emerging threats, see our security news section.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs