Skip to main content

Assassin Game CVE-2026-7165

| EUVDEUVD-2026-38235 CRITICAL
Improper Input Validation (CWE-20)
2026-06-22 INCIBE GHSA-m4p9-xhxv-6pf5
9.4
CVSS 4.0 · Vendor: INCIBE
Share

Severity by source

Vendor (INCIBE) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.9 CRITICAL

Authenticated player (PR:L) can reach a network endpoint (AV:N/AC:L/UI:N); mass-assignment yields full C/I/A impact and SSRF crosses a trust boundary (S:C).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (INCIBE).

CVSS VectorVendor: INCIBE

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 22, 2026 - 14:04 vuln.today

DescriptionCVE.org

The vulnerability is present in the ‘/addJugador’ endpoint:

  • The 'keyJugador' and 'keyJugadorObjectiu' parameters allow the modification of other users’ information without requiring prior authorization validation. This could enable an authenticated attacker to alter any user’s ID and change their information.
  • The ‘punts’ and ‘numObjectiusEliminats’ fields allow arbitrary data to be added because user input is not properly validated. This makes it possible to obtain authentic prizes, awarded by city councils, by falsifying game scores.
  • In the ‘tokens’ field, administrative privileges can be self-assigned without server validation or prior authentication. This vulnerability could allow an authenticated attacker to grant themselves administrator permissions and thus escalate privileges.
  • Numeric fields allow the entry of extremely long values, which can cause the system to crash. Successful exploitation of this vulnerability could allow an authenticated attacker to launch a denial-of-service (DoS) attack, preventing created games from being playable.
  • The ‘urlImatge’ parameter allows server-side requests to arbitrary URLs, enabling the retrieval of users’ internal IP addresses, access to internal services, reading of local files, and unauthorized interaction with third-party APIs. An authenticated attacker could gain access to sensitive data.

AnalysisAI

Multiple chained vulnerabilities in Gaudire's Assassin Game platform allow an authenticated low-privileged player to tamper with other users' accounts, escalate to administrator, defraud city-council-awarded prizes, trigger denial-of-service, and perform server-side request forgery via the /addJugador endpoint. With CVSS 4.0 base score 9.4 (Critical) and scope-changing impact across confidentiality, integrity, and availability, the flaws stem from systemic input validation failures (CWE-20). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Register player account
Delivery
Authenticate to API
Exploit
POST crafted JSON to /addJugador
Install
Inject tokens field for admin role
C2
Overwrite victim keyJugador and inflate punts
Execute
Fetch internal URL via urlImatge SSRF
Impact
Claim fraudulent prize and exfiltrate internal data

Vulnerability AssessmentAI

Exploitation Attacker must hold a valid authenticated session on the Assassin Game application (CVSS PR:L) and be able to reach the /addJugador HTTP endpoint over the network (AV:N, AC:L, UI:N) - typically meaning anyone who has registered as a player in a deployed municipal instance. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N with VC/VI/VA:H and subsequent-system SC/SI/SA:H accurately captures the severity: any account holder with a valid game session can pivot to administrator, exfiltrate internal network data via SSRF, and crash the service - a real, not inflated, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A player registers a normal account, logs in, and issues a single POST to /addJugador with a JSON body setting tokens to an administrator value and keyJugador to a victim's identifier, immediately gaining admin and rewriting the victim's profile. The same session then submits urlImatge=http://169.254.169.254/ or http://10.0.0.x/ to harvest cloud metadata and probe internal services, and sets punts to a winning value to claim a city-council prize. …
Remediation No vendor-released patch identified at time of analysis from the supplied data; consult the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-assassin-game-gaudire and Gaudire directly for a fixed build. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify and inventory all Gaudire platform deployments; assess total prize pool value, participant count, and business criticality to organization. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-7165 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy