Description
The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. An Insecure Direct Object Reference (IDOR) vulnerability in versions of the wiki prior to 1.0.0 exposes mod authors' personal information - including full names and email addresses - to any authenticated user who visits a mod page. Any user who creates an account can access sensitive author details by simply navigating to a mod's page via its slug. Version 1.0.0 fixes the issue.
Published: 2026-03-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Exposure of personal data through IDOR
Action: Patch v1.0.0
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference that lets any authenticated user view mod authors' full names and email addresses by navigating to a mod page via its slug. This is a privacy breach that exposes personally identifiable information (PII), violating GDPR requirements. The weakness is categorized as CWE-862, an access control issue. No evidence of code execution or denial of service is provided, so the primary impact is data disclosure rather than system compromise.

Affected Systems

Hytale Modding Wiki, versions prior to 1.0.0, are affected. The vendor product HytaleModding:wiki is listed, and the fix was applied in version 1.0.0.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires authentication; any user with an account can exploit the flaw by simply visiting a mod page. Because no public exploits are reported, the threat level is that of a low to moderate risk for privacy violations, but it remains technically feasible for any valid user within the system.

Generated by OpenCVE AI on March 18, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading Hytale Modding Wiki to version 1.0.0 or later.

Generated by OpenCVE AI on March 18, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Hytale
Hytale modding Wiki
CPEs cpe:2.3:a:hytale:modding_wiki:*:*:*:*:*:*:*:*
Vendors & Products Hytale
Hytale modding Wiki

Thu, 19 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Hytalemodding
Hytalemodding wiki
Vendors & Products Hytalemodding
Hytalemodding wiki

Wed, 18 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
Description The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. An Insecure Direct Object Reference (IDOR) vulnerability in versions of the wiki prior to 1.0.0 exposes mod authors' personal information - including full names and email addresses - to any authenticated user who visits a mod page. Any user who creates an account can access sensitive author details by simply navigating to a mod's page via its slug. Version 1.0.0 fixes the issue.
Title Hytale Modding Wiki has Insecure Direct Object Reference / GDPR PII Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Hytale Modding Wiki
Hytalemodding Wiki
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T16:57:46.390Z

Reserved: 2026-03-13T15:02:00.627Z

Link: CVE-2026-32736

cve-icon Vulnrichment

Updated: 2026-03-19T16:57:42.419Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T23:17:29.883

Modified: 2026-04-22T17:08:04.350

Link: CVE-2026-32736

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:51:55Z

Weaknesses