Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Registration endpoint is network-accessible with no demonstrated auth barrier; impact limited to low integrity (fake accounts created) and low availability (abuse/spam potential), with no confidentiality loss.
Primary rating from Vendor (INCIBE).
CVSS VectorVendor: INCIBE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
The vulnerability arises when the system fails to properly validate the 'email' field during the authentication process, allowing unverified or fake email addresses to be accepted. This lack of validation enables the creation of user accounts with fake email addresses, facilitating the mass creation of fraudulent accounts. Successful exploitation of this vulnerability could allow an authenticated attacker to carry out various attacks, such as mass spam distribution, system abuse, or bypassing user controls, thereby compromising the security and integrity of the system.
AnalysisAI
Email validation bypass in Gaudire's Assassin Game permits registration with arbitrary or non-existent email addresses, enabling automated mass account creation without real mailbox ownership verification. The CVSS 4.0 vector (PR:N, AV:N) indicates no prior authentication is required to trigger the flaw, though the description's contradictory reference to an 'authenticated attacker' has not been resolved by the vendor and warrants clarification before deploying mitigations. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerability is triggered during the account registration or authentication flow when the email field is submitted without server-side validation or ownership verification. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 6.9 (AV:N/AC:L/AT:N/PR:N/UI:N) reflects a network-accessible, low-complexity attack requiring no privileges or user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scripts HTTP POST requests to the Assassin Game registration endpoint, submitting syntactically varied but non-existent or attacker-unowned email addresses (e.g., randomstring@disposable-domain.tld) in the email field, which the server accepts without challenge. Iterating this at scale creates hundreds or thousands of activated accounts within minutes, which the attacker then leverages to flood the platform with spam messages, manipulate in-game mechanics through coordinated fake participation, or evade per-account rate limits and ban controls. … |
| Remediation | No vendor-released patch version has been identified at time of analysis; the exact fix version is not independently confirmed from available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Assassin Game
View allMultiple chained vulnerabilities in Gaudire's Assassin Game platform allow an authenticated low-privileged player to tam
Sensitive information disclosure in Gaudire's Assassin Game application allows unauthenticated remote attackers to retri
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38237
GHSA-63h5-48q5-g43w