CVE-2026-40314
Unauthenticated Access to Private Profile Reactions in NamelessMC
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| namelessmc | namelessmc | to 2.2.4 (inc) |
| namelessmc | namelessmc | 2.2.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40314 is a vulnerability in NamelessMC versions up to 2.2.4 that allows unauthenticated users to access reaction details on private or blocked profile posts without proper authorization.
The issue arises because the file ProfilePostReactionContext.php does not enforce visibility rules for blocked or private profiles, and the reactions.php module allows unauthenticated GET requests to retrieve reaction information.
As a result, an attacker can send crafted requests to view reaction participants and timestamps on private posts, which should normally be restricted.
This vulnerability was fixed in version 2.2.5 by enforcing proper authorization checks and applying visibility rules to reaction requests.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing private information about user interactions on private or blocked profile posts.
Unauthenticated attackers can view who reacted to private posts and when, potentially leaking sensitive user activity data.
Additionally, low-privileged authenticated users might be able to add reactions to posts they should not have access to, potentially disrupting user privacy and trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access reaction details on private or blocked profile posts without authentication. Specifically, sending unauthenticated GET requests to the reactions.php module with a crafted request for a private post ID can reveal reaction participants and timestamps if the system is vulnerable.
For example, a command using curl to test this could be:
- curl -i "https://[your-namelessmc-domain]/modules/Core/queries/reactions.php?post=10"
If the response returns HTTP status 200 and reaction details for a private post, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade NamelessMC to version 2.2.5 or later, where the issue has been fixed.
The fix involves enforcing authorization checks in the ProfilePostReactionContext::validateReactable() function and applying the same visibility rules to reaction requests, ensuring that unauthenticated or unauthorized users cannot access reaction details on private or blocked profile posts.
Until the upgrade can be applied, consider restricting access to the reactions.php endpoint or implementing additional access controls at the web server or application firewall level to block unauthenticated GET requests to this resource.