A critical vulnerability in Neko, a self-hosted virtual browser running in Docker, allows any authenticated user to gain full administrative control. The vulnerability affects versions 3.0.0-3.0.10 and 3.1.0-3.1.1, enabling complete instance compromise including member management, room settings, broadcast control, and session termination. Patches are available in v3.0.11 and v3.1.2. Temporary mitigations include restricting access to trusted users, using strong passwords, implementing reverse proxy authentication, and monitoring for suspicious privilege changes. The vulnerability appears to be related to the /api/profile endpoint and requires immediate patching for full resolution.