Executive Summary

CVE-2026-40314 is a vulnerability in NamelessMC versions up to 2.2.4 that allows unauthenticated users to access reaction details on private or blocked profile posts without proper authorization.

The issue arises because the file ProfilePostReactionContext.php does not enforce visibility rules for blocked or private profiles, and the reactions.php module allows unauthenticated GET requests to retrieve reaction information.

As a result, an attacker can send crafted requests to view reaction participants and timestamps on private posts, which should normally be restricted.

This vulnerability was fixed in version 2.2.5 by enforcing proper authorization checks and applying visibility rules to reaction requests.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by exposing private information about user interactions on private or blocked profile posts.

Unauthenticated attackers can view who reacted to private posts and when, potentially leaking sensitive user activity data.

Additionally, low-privileged authenticated users might be able to add reactions to posts they should not have access to, potentially disrupting user privacy and trust.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access reaction details on private or blocked profile posts without authentication. Specifically, sending unauthenticated GET requests to the reactions.php module with a crafted request for a private post ID can reveal reaction participants and timestamps if the system is vulnerable.

For example, a command using curl to test this could be:

• curl -i "https://[your-namelessmc-domain]/modules/Core/queries/reactions.php?post=10"

If the response returns HTTP status 200 and reaction details for a private post, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade NamelessMC to version 2.2.5 or later, where the issue has been fixed.

The fix involves enforcing authorization checks in the ProfilePostReactionContext::validateReactable() function and applying the same visibility rules to reaction requests, ensuring that unauthenticated or unauthorized users cannot access reaction details on private or blocked profile posts.

Until the upgrade can be applied, consider restricting access to the reactions.php endpoint or implementing additional access controls at the web server or application firewall level to block unauthenticated GET requests to this resource.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated users to access reaction details, including participants and timestamps, on private or blocked profile posts without proper authorization.

Such unauthorized disclosure of private user interaction data could potentially violate privacy requirements outlined in regulations like GDPR or HIPAA, which mandate protection of personal and sensitive information.

By exposing private profile reactions to unauthorized parties, the vulnerability undermines data confidentiality and access control principles critical for compliance with these standards.

Useful 0 Not Useful 0