{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28428", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:54:05.137Z", "datePublished": "2026-03-06T04:59:52.271Z", "dateUpdated": "2026-03-09T19:54:28.169Z"}, "containers": {"cna": {"title": "Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83"}, {"name": "https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc", "tags": ["x_refsource_MISC"], "url": "https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc"}], "affected": [{"vendor": "Talishar", "product": "Talishar", "versions": [{"version": "< a9c218efa37756c9e7eed056fbff6ee03f79aefc", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:59:52.271Z"}, "descriptions": [{"lang": "en", "value": "Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions \u2014 including sending chat messages and submitting game inputs \u2014 by supplying an empty authKey parameter (authKey=). The server-side validation uses a loose comparison that accepts an empty string as a valid credential, while correctly rejecting non-empty but incorrect keys. This asymmetry means the authentication mechanism can be completely bypassed without knowing any valid token. This issue has been patched in commit a9c218e."}], "source": {"advisory": "GHSA-2659-p579-wv83", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T19:54:17.946170Z", "id": "CVE-2026-28428", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:54:28.169Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28428", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T19:54:17.946170Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:54:23.944Z"}}], "cna": {"title": "Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions", "source": {"advisory": "GHSA-2659-p579-wv83", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Talishar", "product": "Talishar", "versions": [{"status": "affected", "version": "< a9c218efa37756c9e7eed056fbff6ee03f79aefc"}]}], "references": [{"url": "https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83", "name": "https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc", "name": "https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions \u2014 including sending chat messages and submitting game inputs \u2014 by supplying an empty authKey parameter (authKey=). The server-side validation uses a loose comparison that accepts an empty string as a valid credential, while correctly rejecting non-empty but incorrect keys. This asymmetry means the authentication mechanism can be completely bypassed without knowing any valid token. This issue has been patched in commit a9c218e."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:59:52.271Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28428", "state": "PUBLISHED", "dateUpdated": "2026-03-09T19:54:28.169Z", "dateReserved": "2026-02-27T15:54:05.137Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T04:59:52.271Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions \u2014 including sending chat messages and submitting game inputs \u2014 by supplying an empty authKey parameter (authKey=). The server-side validation uses a loose comparison that accepts an empty string as a valid credential, while correctly rejecting non-empty but incorrect keys. This asymmetry means the authentication mechanism can be completely bypassed without knowing any valid token. This issue has been patched in commit a9c218e."}, {"lang": "es", "value": "Talishar es un proyecto de Flesh and Blood creado por fans. Antes del commit a9c218e, una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n en la l\u00f3gica de validaci\u00f3n del endpoint de juego de Talishar permite a cualquier atacante no autenticado realizar acciones de juego autenticadas \u2014 incluyendo el env\u00edo de mensajes de chat y la introducci\u00f3n de entradas de juego \u2014 al proporcionar un par\u00e1metro authKey vac\u00edo (authKey=). La validaci\u00f3n del lado del servidor utiliza una comparaci\u00f3n laxa que acepta una cadena vac\u00eda como credencial v\u00e1lida, mientras que rechaza correctamente las claves no vac\u00edas pero incorrectas. Esta asimetr\u00eda significa que el mecanismo de autenticaci\u00f3n puede ser completamente omitido sin conocer ning\u00fan token v\u00e1lido. Este problema ha sido parcheado en el commit a9c218e."}], "id": "CVE-2026-28428", "lastModified": "2026-03-09T13:36:08.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T05:16:31.607", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc"}, {"source": "security-advisories@github.com", "url": "https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,a9c218efa37756c9e7eed056fbff6ee03f79aefc)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Talishar", "source": "cna", "vendor": "Talishar"}, "product": "talishar", "vendor": "talishar"}], "created": "2026-03-06T14:55:39.773026+00:00", "updated": "2026-03-06T14:55:39.773111+00:00", "vendors": ["talishar", "talishar$PRODUCT$talishar"]}