CVE-2026-48991
Deferred Deferred - Pending Action

Authentication Bypass in XianYuLauncher via Local Redirect

Vulnerability report for CVE-2026-48991, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description

XianYuLauncher is a Minecraft Java Edition launcher. In versions prior to 1.5.5, sensitive authentication artifacts could be exposed during a user-initiated login under certain local attack conditions. Affected versions relied on a fixed localhost redirect URI without PKCE or state validation. Exploitation is most likely to occur when an attacker is able to observe, intercept, or otherwise interfere with the local authentication flow on the same device. This issue has been fixed in version 1.5.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-22
Generated
2026-07-08
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-06
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
xianyu xianyu_launcher to 1.5.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in XianYuLauncher prior to version 1.5.5 exposes sensitive authentication artifacts during user-initiated login under certain local attack conditions. This exposure could potentially lead to unauthorized access to user authentication data.

Such exposure of sensitive authentication information may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data to prevent unauthorized access and ensure user privacy.

However, the vulnerability is limited to local attack scenarios where an attacker can observe or interfere with the local authentication flow on the same device, which may reduce the overall risk depending on the environment.

The issue has been fixed in version 1.5.5, so updating to this version or later is necessary to mitigate compliance risks related to this vulnerability.

Executive Summary

The vulnerability exists in XianYuLauncher, a Minecraft Java Edition launcher, in versions prior to 1.5.5. It involves the exposure of sensitive authentication artifacts during a user-initiated login process under certain local attack conditions. This happens because the affected versions use a fixed localhost redirect URI without implementing PKCE (Proof Key for Code Exchange) or state validation, which are security measures designed to protect the authentication flow.

An attacker who can observe, intercept, or interfere with the local authentication flow on the same device may exploit this vulnerability to gain access to sensitive authentication information.

This issue has been fixed in version 1.5.5 of XianYuLauncher.

Impact Analysis

This vulnerability can lead to the exposure of sensitive authentication artifacts, which may allow an attacker with local access to the device to intercept or steal authentication credentials during the login process.

Such exposure could result in unauthorized access to the user's account or services associated with the launcher, potentially compromising user data or access rights.

Mitigation Strategies

To mitigate this vulnerability, you should update XianYuLauncher to version 1.5.5 or later, where the issue has been fixed.

Avoid using affected versions prior to 1.5.5, especially in environments where an attacker could observe or interfere with the local authentication flow.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48991. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart