Skip to main content

Wiki EUVDEUVD-2026-12981

| CVE-2026-32736 MEDIUM
Missing Authorization (CWE-862)
2026-03-18 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.0.0
EUVD ID Assigned
Mar 18, 2026 - 22:22 euvd
EUVD-2026-12981
Analysis Generated
Mar 18, 2026 - 22:22 vuln.today
CVE Published
Mar 18, 2026 - 22:06 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. An Insecure Direct Object Reference (IDOR) vulnerability in versions of the wiki prior to 1.0.0 exposes mod authors' personal information - including full names and email addresses - to any authenticated user who visits a mod page. Any user who creates an account can access sensitive author details by simply navigating to a mod's page via its slug. Version 1.0.0 fixes the issue.

AnalysisAI

An Insecure Direct Object Reference (IDOR) vulnerability in the Hytale Modding Wiki prior to version 1.0.0 allows any authenticated user to access and view mod authors' personal information, including full names and email addresses, by navigating directly to mod pages using their slugs. The vulnerability requires only low-privilege authentication (account creation) and no user interaction, making it trivially exploitable. While the CVSS score is moderate at 4.3, the exposure of personally identifiable information (PII) represents a direct privacy harm to affected mod authors.

Technical ContextAI

The vulnerability stems from a failure to properly validate authorization on object access, classified under CWE-862 (Missing Authorization). The Hytale Modding Wiki application (CPE: cpe:2.3:a:hytalemodding:wiki:*:*:*:*:*:*:*:*) appears to implement authentication checks at the account/session level but does not enforce sufficient authorization controls on individual mod resources. When an authenticated user requests a mod page via its slug (a human-readable URL identifier), the backend returns sensitive author metadata without verifying whether the requesting user has permission to view that data. This is a common IDOR pattern where object identifiers are predictable (standard slug formats) and access controls are either absent or bypassable through direct enumeration.

RemediationAI

Immediately upgrade the Hytale Modding Wiki to version 1.0.0 or later, which includes the authorization fix committed at https://github.com/HytaleModding/wiki/commit/4a96b3f9bce9a9d34030c39a8d6e4c6b6183f13d. Until patching is completed, temporary mitigation may include restricting wiki access to a smaller set of authenticated users, implementing rate limiting on mod page requests to detect enumeration attempts, or reviewing access logs to identify unauthorized access to author information. Verify that the patch correctly implements per-resource authorization checks before granting access to mod metadata.

Share

EUVD-2026-12981 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy