Executive Summary

CVE-2026-28428 is an authentication bypass vulnerability in the Talishar PHP game platform. The issue arises because the server uses a loose comparison operator to validate the authentication key (authKey) against stored session tokens. Specifically, it uses a non-strict equality check that treats an empty string as a valid credential, allowing an attacker to bypass authentication simply by providing an empty authKey parameter.

This loose comparison means that while incorrect non-empty keys are rejected, an empty authKey is accepted, enabling any unauthenticated attacker to perform authenticated game actions such as sending chat messages, submitting game inputs, and impersonating players without knowing any valid token.

The vulnerability was fixed by replacing all loose equality checks with strict comparisons, ensuring that both the value and type of the authentication keys are compared, preventing this bypass.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated attacker to bypass authentication and perform any game actions as if they were an authenticated player.

• Send spoofed chat messages.
• Submit game moves or inputs.
• Concede games or manipulate game state.
• Read full game state data.
• Impersonate any player by specifying arbitrary playerID values.

The attack can be performed remotely over the network without any authentication or user interaction, using simple HTTP requests.

Overall, this can lead to unauthorized game manipulation, loss of game integrity, and exposure of sensitive game information.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP requests to the Talishar game endpoints for the presence of an empty authKey parameter (authKey=) in GET or POST requests. Attackers exploit this by sending requests with an empty authKey to bypass authentication.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or command-line utilities like curl or tcpdump to detect such requests.'}, {'type': 'list_item', 'content': "Use curl to test if the server accepts an empty authKey parameter, for example: curl -G 'http://your-talishar-server/SubmitChat.php' --data-urlencode 'authKey=' --data-urlencode 'playerID=1'"}, {'type': 'list_item', 'content': 'Use tcpdump or Wireshark to filter HTTP traffic containing authKey= with no value to identify potential exploit attempts.'}, {'type': 'list_item', 'content': 'Check server logs for requests to endpoints like SubmitChat.php, ProcessInput.php, GetNextTurn.php, and JoinGameInput.php with empty authKey parameters.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to apply the patch that replaces loose equality checks with strict comparisons in the authentication logic.

Specifically, update the code to use strict inequality operators (!==) instead of loose inequality (!=) when comparing the authKey parameter to the stored authentication tokens.

• Apply the patch from commit a9c218efa37756c9e7eed056fbff6ee03f79aefc which fixes the authentication bypass by enforcing strict comparison.
• Restrict or monitor access to vulnerable endpoints such as SubmitChat.php, ProcessInput.php, GetNextTurn.php, and JoinGameInput.php until the patch is applied.
• Review and enhance authentication validation logic to ensure that empty or missing authKey parameters are rejected.

Useful 0 Not Useful 0