Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. An Insecure Direct Object Reference (IDOR) vulnerability in versions of the wiki prior to 1.0.0 exposes mod authors' personal information - including full names and email addresses - to any authenticated user who visits a mod page. Any user who creates an account can access sensitive author details by simply navigating to a mod's page via its slug. Version 1.0.0 fixes the issue.
AnalysisAI
An Insecure Direct Object Reference (IDOR) vulnerability in the Hytale Modding Wiki prior to version 1.0.0 allows any authenticated user to access and view mod authors' personal information, including full names and email addresses, by navigating directly to mod pages using their slugs. The vulnerability requires only low-privilege authentication (account creation) and no user interaction, making it trivially exploitable. While the CVSS score is moderate at 4.3, the exposure of personally identifiable information (PII) represents a direct privacy harm to affected mod authors.
Technical ContextAI
The vulnerability stems from a failure to properly validate authorization on object access, classified under CWE-862 (Missing Authorization). The Hytale Modding Wiki application (CPE: cpe:2.3:a:hytalemodding:wiki:*:*:*:*:*:*:*:*) appears to implement authentication checks at the account/session level but does not enforce sufficient authorization controls on individual mod resources. When an authenticated user requests a mod page via its slug (a human-readable URL identifier), the backend returns sensitive author metadata without verifying whether the requesting user has permission to view that data. This is a common IDOR pattern where object identifiers are predictable (standard slug formats) and access controls are either absent or bypassable through direct enumeration.
RemediationAI
Immediately upgrade the Hytale Modding Wiki to version 1.0.0 or later, which includes the authorization fix committed at https://github.com/HytaleModding/wiki/commit/4a96b3f9bce9a9d34030c39a8d6e4c6b6183f13d. Until patching is completed, temporary mitigation may include restricting wiki access to a smaller set of authenticated users, implementing rate limiting on mod page requests to detect enumeration attempts, or reviewing access logs to identify unauthorized access to author information. Verify that the patch correctly implements per-resource authorization checks before granting access to mod metadata.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12981