Skip to main content

Assassin Game EUVDEUVD-2026-38237

| CVE-2026-7167 MEDIUM
Information Exposure (CWE-200)
2026-06-22 INCIBE GHSA-63h5-48q5-g43w
6.9
CVSS 4.0 · Vendor: INCIBE
Share

Severity by source

Vendor (INCIBE) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Registration endpoint is network-accessible with no demonstrated auth barrier; impact limited to low integrity (fake accounts created) and low availability (abuse/spam potential), with no confidentiality loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (INCIBE).

CVSS VectorVendor: INCIBE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 22, 2026 - 14:40 vuln.today

DescriptionCVE.org

The vulnerability arises when the system fails to properly validate the 'email' field during the authentication process, allowing unverified or fake email addresses to be accepted. This lack of validation enables the creation of user accounts with fake email addresses, facilitating the mass creation of fraudulent accounts. Successful exploitation of this vulnerability could allow an authenticated attacker to carry out various attacks, such as mass spam distribution, system abuse, or bypassing user controls, thereby compromising the security and integrity of the system.

AnalysisAI

Email validation bypass in Gaudire's Assassin Game permits registration with arbitrary or non-existent email addresses, enabling automated mass account creation without real mailbox ownership verification. The CVSS 4.0 vector (PR:N, AV:N) indicates no prior authentication is required to trigger the flaw, though the description's contradictory reference to an 'authenticated attacker' has not been resolved by the vendor and warrants clarification before deploying mitigations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access registration endpoint over network
Delivery
Submit registration request with fake or unverified email address
Exploit
Server accepts email without validation or confirmation challenge
Execution
Fraudulent account activated
Persist
Repeat at scale to create mass fake accounts
Impact
Abuse accounts for spam distribution or bypass of per-user controls

Vulnerability AssessmentAI

Exploitation The vulnerability is triggered during the account registration or authentication flow when the email field is submitted without server-side validation or ownership verification. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.9 (AV:N/AC:L/AT:N/PR:N/UI:N) reflects a network-accessible, low-complexity attack requiring no privileges or user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scripts HTTP POST requests to the Assassin Game registration endpoint, submitting syntactically varied but non-existent or attacker-unowned email addresses (e.g., randomstring@disposable-domain.tld) in the email field, which the server accepts without challenge. Iterating this at scale creates hundreds or thousands of activated accounts within minutes, which the attacker then leverages to flood the platform with spam messages, manipulate in-game mechanics through coordinated fake participation, or evade per-account rate limits and ban controls. …
Remediation No vendor-released patch version has been identified at time of analysis; the exact fix version is not independently confirmed from available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy