Description
Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions — including sending chat messages and submitting game inputs — by supplying an empty authKey parameter (authKey=). The server-side validation uses a loose comparison that accepts an empty string as a valid credential, while correctly rejecting non-empty but incorrect keys. This asymmetry means the authentication mechanism can be completely bypassed without knowing any valid token. This issue has been patched in commit a9c218e.
Published: 2026-03-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch
AI Analysis

Impact

An authentication bypass flaw in Talishar’s game endpoint validation allows any attacker to carry out actions that normally require authentication, such as sending chat messages or submitting game inputs, simply by providing an empty authKey parameter. The server compares the supplied credential loosely, accepting an empty string as valid while rejecting non‑empty incorrect keys, creating a critical asymmetry in the authentication logic.

Affected Systems

This vulnerability affects the Talishar fan‑made Flesh and Blood project. Any deployment of the game server running a version of the code prior to commit a9c218e is vulnerable; newer versions contain the patch.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1 % suggests low current exploitation probability. The issue is not listed in the CISA KEV catalog. Because the attack requires only the submission of an empty authKey, it can be executed remotely over the public network without prior knowledge of valid credentials, effectively granting unauthenticated users privileged actions within the game.

Generated by OpenCVE AI on April 17, 2026 at 12:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch that replaces the loose comparison with a strict equality check, addressing the authentication bypass (CWE‑287).
  • Restart the Talishar server to load the corrected authentication logic.
  • If patching is not immediately possible, temporarily configure the server to reject any game requests that lack a valid, non‑empty authKey or that provide an empty authKey, mitigating the authentication bypass.

Generated by OpenCVE AI on April 17, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Talishar
Talishar talishar
Vendors & Products Talishar
Talishar talishar

Fri, 06 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions — including sending chat messages and submitting game inputs — by supplying an empty authKey parameter (authKey=). The server-side validation uses a loose comparison that accepts an empty string as a valid credential, while correctly rejecting non-empty but incorrect keys. This asymmetry means the authentication mechanism can be completely bypassed without knowing any valid token. This issue has been patched in commit a9c218e.
Title Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Talishar Talishar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T19:54:28.169Z

Reserved: 2026-02-27T15:54:05.137Z

Link: CVE-2026-28428

cve-icon Vulnrichment

Updated: 2026-03-09T19:54:23.944Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-06T05:16:31.607

Modified: 2026-03-09T13:36:08.413

Link: CVE-2026-28428

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses