Executive Summary

The CVE-2026-35443 vulnerability affects NamelessMC version 2.2.4, a website software for Minecraft servers. The issue lies in the ForumPostReactionContext.php file, where the software only verifies if a user can view the forum but does not enforce topic-level permissions, specifically the "view_other_topics" restriction.

This means that in forums where users are allowed to enter but only view their own topics, they can still read, add, or modify reactions on other users' topics, which they should not have access to.

The vulnerability was fixed in version 2.2.5 by adding enforcement of topic-level permissions in the reaction validation function.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows low-privileged users to bypass topic-level viewing restrictions in forums, enabling them to read and modify reactions on topics they are not authorized to access.

As a result, sensitive or private forum discussions could have their reactions exposed or altered by unauthorized users, potentially leading to misinformation, privacy breaches, or manipulation of forum content.

The severity of this issue is rated as Moderate.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing whether low-privileged users who are restricted to viewing only their own topics can still access or modify reactions on other users' topics.

A practical approach is to attempt to read or modify reactions on topics that the user should not have permission to view, verifying if unauthorized access is possible.

Since the issue is in the ForumPostReactionContext.php file's permission checks, manual or automated tests targeting reaction endpoints or UI elements related to reactions can reveal the vulnerability.

Specific commands depend on the environment, but for example, using curl or similar HTTP clients to send requests to reaction-related API endpoints with a low-privileged user token can help detect unauthorized access.

• Use curl to attempt to GET reaction data on topics the user should not access: curl -H "Authorization: Bearer <low-privilege-token>" https://<namelessmc-site>/forum/topic/<topic-id>/reactions
• Attempt to POST or PATCH reaction data on unauthorized topics similarly to test modification capabilities.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade NamelessMC to version 2.2.5 or later, where the vulnerability has been fixed by enforcing topic-level permissions in the ForumPostReactionContext::validateReactable() function.

Until the upgrade can be applied, consider restricting forum access to trusted users only or disabling reaction features to prevent unauthorized reaction viewing or modification.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthorized users to read and modify reactions on forum topics they are not permitted to view, potentially leading to unauthorized access to user-generated content.

This unauthorized access could result in exposure or alteration of personal or sensitive information, which may impact compliance with data protection regulations such as GDPR or HIPAA that require strict access controls and protection of user data.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Useful 0 Not Useful 0