Skip to main content

CloudburstMC Protocol EUVDEUVD-2026-34032

| CVE-2026-45289 MEDIUM
Improper Authentication (CWE-287)
2026-06-02 GitHub_M
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 02, 2026 - 22:01 EUVD
Analysis Generated
Jun 02, 2026 - 21:22 vuln.today

DescriptionGitHub Advisory

CloudburstMC Protocol is a protocol library for Minecraft Bedrock Edition. Prior to version 3.0.0.Beta12-20260420.182526-15, CloudburstMC Protocol is partially missing validation for FULL type authentication tokens (Cloudburst/Protocol). This vulnerability impacts publicly accessible software depending on the affected versions of Protocol, specifically the EncryptionUtils methods to validate auth payloads for FULL type tokens. This issue has been patched in version 3.0.0.Beta12-20260420.182526-15.

AnalysisAI

Authentication bypass in CloudburstMC Protocol, the Minecraft Bedrock Edition protocol library, allows remote unauthenticated attackers to partially bypass token validation by exploiting incomplete checks in EncryptionUtils for FULL type authentication tokens. All versions prior to 3.0.0.Beta12-20260420.182526-15 are affected, impacting any publicly accessible software - such as Bedrock-compatible game servers - that depends on this library's auth payload validation logic. The CVSS vector (AV:N/AC:L/PR:N/UI:N/I:L) confirms low-complexity remote exploitation with limited integrity impact; no public exploit code or CISA KEV listing has been identified at time of analysis.

Technical ContextAI

CloudburstMC Protocol is an open-source Java library implementing the Minecraft Bedrock Edition network protocol, used by server software to handle client connections. Authentication in Bedrock uses JSON Web Token (JWT) chains to verify client identity; FULL type tokens represent one authentication mode within this chain. The vulnerability, classified under CWE-287 (Improper Authentication), arises from incomplete input validation inside the EncryptionUtils class when processing FULL type auth payloads - meaning certain token fields or structural checks required for proper authentication verification are not enforced. The affected CPE is cpe:2.3:a:cloudburstmc:protocol:*:*:*:*:*:*:*:*, indicating all versions of the library prior to the patched release. The root cause is a validation gap rather than a cryptographic break, meaning a crafted or malformed payload can pass authentication checks that should otherwise reject it.

RemediationAI

The primary fix is to upgrade CloudburstMC Protocol to version 3.0.0.Beta12-20260420.182526-15 or later, which introduces complete validation for FULL type authentication token payloads in EncryptionUtils. Server operators using this library as a dependency (e.g., via Maven or Gradle) should update their dependency declaration to reference this release and rebuild or redeploy. The vendor advisory at https://github.com/CloudburstMC/Protocol/security/advisories/GHSA-g2fr-c75x-4hf9 should be consulted for any additional guidance. If an immediate upgrade is not feasible, a compensating control would be to restrict public network access to the Bedrock server (e.g., whitelist known client IPs at the firewall level), though this significantly limits server accessibility and is not appropriate for public-facing deployments. There are no other documented workarounds; the fix is solely in the patched library version.

Share

EUVD-2026-34032 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy