CVE-2026-48991
Received Received - Intake
Authentication Bypass in XianYuLauncher via Local Redirect

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
XianYuLauncher is a Minecraft Java Edition launcher. In versions prior to 1.5.5, sensitive authentication artifacts could be exposed during a user-initiated login under certain local attack conditions. Affected versions relied on a fixed localhost redirect URI without PKCE or state validation. Exploitation is most likely to occur when an attacker is able to observe, intercept, or otherwise interfere with the local authentication flow on the same device. This issue has been fixed in version 1.5.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-48991
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xianyu xianyu_launcher to 1.5.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in XianYuLauncher, a Minecraft Java Edition launcher, in versions prior to 1.5.5. It involves the exposure of sensitive authentication artifacts during a user-initiated login process under certain local attack conditions. This happens because the affected versions use a fixed localhost redirect URI without implementing PKCE (Proof Key for Code Exchange) or state validation, which are security measures designed to protect the authentication flow.

An attacker who can observe, intercept, or interfere with the local authentication flow on the same device may exploit this vulnerability to gain access to sensitive authentication information.

This issue has been fixed in version 1.5.5 of XianYuLauncher.

Impact Analysis

This vulnerability can lead to the exposure of sensitive authentication artifacts, which may allow an attacker with local access to the device to intercept or steal authentication credentials during the login process.

Such exposure could result in unauthorized access to the user's account or services associated with the launcher, potentially compromising user data or access rights.

Mitigation Strategies

To mitigate this vulnerability, you should update XianYuLauncher to version 1.5.5 or later, where the issue has been fixed.

Avoid using affected versions prior to 1.5.5, especially in environments where an attacker could observe or interfere with the local authentication flow.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48991. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart