CVE-2026-35443
Insecure Forum Topic Reaction Access in NamelessMC 2.2.4
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| namelessmc | namelessmc | to 2.2.5 (exc) |
| namelessmc | namelessmc | 2.2.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-35443 vulnerability affects NamelessMC version 2.2.4, a website software for Minecraft servers. The issue lies in the ForumPostReactionContext.php file, where the software only verifies if a user can view the forum but does not enforce topic-level permissions, specifically the "view_other_topics" restriction.
This means that in forums where users are allowed to enter but only view their own topics, they can still read, add, or modify reactions on other users' topics, which they should not have access to.
The vulnerability was fixed in version 2.2.5 by adding enforcement of topic-level permissions in the reaction validation function.
How can this vulnerability impact me? :
This vulnerability allows low-privileged users to bypass topic-level viewing restrictions in forums, enabling them to read and modify reactions on topics they are not authorized to access.
As a result, sensitive or private forum discussions could have their reactions exposed or altered by unauthorized users, potentially leading to misinformation, privacy breaches, or manipulation of forum content.
The severity of this issue is rated as Moderate.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether low-privileged users who are restricted to viewing only their own topics can still access or modify reactions on other users' topics.
A practical approach is to attempt to read or modify reactions on topics that the user should not have permission to view, verifying if unauthorized access is possible.
Since the issue is in the ForumPostReactionContext.php file's permission checks, manual or automated tests targeting reaction endpoints or UI elements related to reactions can reveal the vulnerability.
Specific commands depend on the environment, but for example, using curl or similar HTTP clients to send requests to reaction-related API endpoints with a low-privileged user token can help detect unauthorized access.
- Use curl to attempt to GET reaction data on topics the user should not access: curl -H "Authorization: Bearer <low-privilege-token>" https://<namelessmc-site>/forum/topic/<topic-id>/reactions
- Attempt to POST or PATCH reaction data on unauthorized topics similarly to test modification capabilities.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade NamelessMC to version 2.2.5 or later, where the vulnerability has been fixed by enforcing topic-level permissions in the ForumPostReactionContext::validateReactable() function.
Until the upgrade can be applied, consider restricting forum access to trusted users only or disabling reaction features to prevent unauthorized reaction viewing or modification.