Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Authenticated player (PR:L) can reach a network endpoint (AV:N/AC:L/UI:N); mass-assignment yields full C/I/A impact and SSRF crosses a trust boundary (S:C).
Primary rating from Vendor (INCIBE).
CVSS VectorVendor: INCIBE
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
The vulnerability is present in the ‘/addJugador’ endpoint:
- The 'keyJugador' and 'keyJugadorObjectiu' parameters allow the modification of other users’ information without requiring prior authorization validation. This could enable an authenticated attacker to alter any user’s ID and change their information.
- The ‘punts’ and ‘numObjectiusEliminats’ fields allow arbitrary data to be added because user input is not properly validated. This makes it possible to obtain authentic prizes, awarded by city councils, by falsifying game scores.
- In the ‘tokens’ field, administrative privileges can be self-assigned without server validation or prior authentication. This vulnerability could allow an authenticated attacker to grant themselves administrator permissions and thus escalate privileges.
- Numeric fields allow the entry of extremely long values, which can cause the system to crash. Successful exploitation of this vulnerability could allow an authenticated attacker to launch a denial-of-service (DoS) attack, preventing created games from being playable.
- The ‘urlImatge’ parameter allows server-side requests to arbitrary URLs, enabling the retrieval of users’ internal IP addresses, access to internal services, reading of local files, and unauthorized interaction with third-party APIs. An authenticated attacker could gain access to sensitive data.
AnalysisAI
Multiple chained vulnerabilities in Gaudire's Assassin Game platform allow an authenticated low-privileged player to tamper with other users' accounts, escalate to administrator, defraud city-council-awarded prizes, trigger denial-of-service, and perform server-side request forgery via the /addJugador endpoint. With CVSS 4.0 base score 9.4 (Critical) and scope-changing impact across confidentiality, integrity, and availability, the flaws stem from systemic input validation failures (CWE-20). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold a valid authenticated session on the Assassin Game application (CVSS PR:L) and be able to reach the /addJugador HTTP endpoint over the network (AV:N, AC:L, UI:N) - typically meaning anyone who has registered as a player in a deployed municipal instance. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N with VC/VI/VA:H and subsequent-system SC/SI/SA:H accurately captures the severity: any account holder with a valid game session can pivot to administrator, exfiltrate internal network data via SSRF, and crash the service - a real, not inflated, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A player registers a normal account, logs in, and issues a single POST to /addJugador with a JSON body setting tokens to an administrator value and keyJugador to a victim's identifier, immediately gaining admin and rewriting the victim's profile. The same session then submits urlImatge=http://169.254.169.254/ or http://10.0.0.x/ to harvest cloud metadata and probe internal services, and sets punts to a winning value to claim a city-council prize. … |
| Remediation | No vendor-released patch identified at time of analysis from the supplied data; consult the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-assassin-game-gaudire and Gaudire directly for a fixed build. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify and inventory all Gaudire platform deployments; assess total prize pool value, participant count, and business criticality to organization. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Assassin Game
View allSensitive information disclosure in Gaudire's Assassin Game application allows unauthenticated remote attackers to retri
Email validation bypass in Gaudire's Assassin Game permits registration with arbitrary or non-existent email addresses,
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38235
GHSA-m4p9-xhxv-6pf5