Skip to main content

Xianyulauncher

1 CVEs product

Monthly

CVE-2026-48991 MEDIUM This Month

XianYuLauncher, a Minecraft Java Edition launcher, exposes Microsoft OAuth authentication tokens to local attackers in all versions prior to 1.5.5 due to an OAuth 2.0 Authorization Code flow implemented without PKCE or state parameter validation. A local attacker running a concurrent process on the same machine can race the launcher's fixed localhost redirect URI to intercept the authorization code, then exchange it for valid Microsoft and Minecraft access tokens without any special privileges. Compounding the exposure, ClientToken was stored on disk in plaintext and JWT/Bearer tokens could be leaked into log output. No public exploit has been identified and this vulnerability is not listed in CISA KEV.

Authentication Bypass Java Xianyulauncher
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
EPSS 0% CVSS 5.5
MEDIUM This Month

XianYuLauncher, a Minecraft Java Edition launcher, exposes Microsoft OAuth authentication tokens to local attackers in all versions prior to 1.5.5 due to an OAuth 2.0 Authorization Code flow implemented without PKCE or state parameter validation. A local attacker running a concurrent process on the same machine can race the launcher's fixed localhost redirect URI to intercept the authorization code, then exchange it for valid Microsoft and Minecraft access tokens without any special privileges. Compounding the exposure, ClientToken was stored on disk in plaintext and JWT/Bearer tokens could be leaked into log output. No public exploit has been identified and this vulnerability is not listed in CISA KEV.

Authentication Bypass Java Xianyulauncher
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy