Skip to main content

NamelessMC EUVD-2026-33960

| CVE-2026-34460 MEDIUM
Authentication Bypass by Assumed-Immutable Data (CWE-302)
2026-06-02 GitHub_M
CSRF Nameless
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 02, 2026 - 17:01 EUVD
Analysis Generated
Jun 02, 2026 - 16:03 vuln.today

DescriptionGitHub Advisory

NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause a victim's browser to navigate to it, resulting in the victim's session being authenticated as the attacker-linked account (OAuth login CSRF / session swapping). This is patched in version 2.2.5.

AnalysisAI

OAuth login CSRF in NamelessMC 2.2.4 and prior enables session swapping by exploiting the absence of server-side state parameter validation during OAuth callback handling. An unauthenticated attacker (PR:N) who controls their own OAuth-linked account can capture a valid callback URL and socially engineer a victim (UI:R) into navigating to it, causing the victim's browser session to become authenticated as the attacker's account - effectively hijacking the victim's logged-in state. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker links own account via OAuth
Delivery
Captures valid OAuth callback URL from own flow
Exploit
Crafts phishing link embedding captured callback URL
Execution
Victim clicks link and browser sends callback to NamelessMC
Persist
Server exchanges code without validating state parameter
Impact
Victim session authenticated as attacker-linked account
Sign in to reveal

Vulnerability AssessmentAI

Exploitation OAuth login must be enabled and configured on the NamelessMC instance - sites that rely solely on local username/password accounts are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.4 Medium score reflects a meaningful but bounded impact: AV:N (network-reachable), AC:L (low complexity once the attacker has their callback URL), PR:N (no privileges on the target system), and UI:R (victim must navigate to the crafted URL). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers an account on a target NamelessMC site and links it to an OAuth provider (e.g., Discord or Google). The attacker initiates an OAuth login flow, intercepts or records the resulting callback URL containing the authorization code bound to their own account, and then crafts a phishing email or forum post that causes the victim to visit that callback URL - for example, via an image tag or redirect. …
Remediation The vendor-released patch is NamelessMC version 2.2.5, confirmed by GitHub Security Advisory GHSA-pmpw-2xvh-5xj6 at https://github.com/NamelessMC/Nameless/security/advisories/GHSA-pmpw-2xvh-5xj6. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-33960 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy