CVE-2026-34460
5.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause a victim's browser to navigate to it, resulting in the victim's session being authenticated as the attacker-linked account (OAuth login CSRF / session swapping). This is patched in version 2.2.5.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| NamelessMC | Nameless | < 2.2.5 | affected |
Weaknesses
- CWE-302: CWE-302: Authentication Bypass by Assumed-Immutable Data
- CWE-346: CWE-346: Origin Validation Error
- CWE-352: CWE-352: Cross-Site Request Forgery (CSRF)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.