Description
NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause a victim's browser to navigate to it, resulting in the victim's session being authenticated as the attacker-linked account (OAuth login CSRF / session swapping). This is patched in version 2.2.5.
Published: 2026-06-02
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in NamelessMC versions 2.2.4 and earlier allows attackers to exploit the absence of server‑side validation of the OAuth callback state parameter. By capturing a valid callback URL for their own account, an attacker can force a victim’s browser to visit that URL, causing the victim’s session to be authenticated as the attacker’s account. This results in unauthorized access to the victim’s account and potential further exploitation. The weakness corresponds to CWE‑302 (Authentication Bypass), CWE‑346 (Missing Authentication), and CWE‑352 (Cross‑Site Request Forgery).

Affected Systems

NamelessMC:Nameless, specifically all releases up to and including 2.2.4. Versions 2.2.5 and later contain a fix that validates the state parameter server‑side.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can perform the exploit by creating a malicious link containing the attacker’s own OAuth callback URL and tricking a victim into navigating to it, for example via phishing or social engineering. No additional privileges or network access are required beyond initiating an OAuth flow. The risk is primarily the compromise of user sessions and loss of confidentiality for the affected accounts.

Generated by OpenCVE AI on June 2, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NamelessMC to version 2.2.5 or later to ensure the OAuth state parameter is validated server‑side.
  • After upgrading, verify that the application correctly checks the state parameter for all OAuth callbacks to prevent future session swapping attacks.
  • Audit user accounts that may have been compromised and encourage affected users to reset their passwords or review account activity for suspicious actions.

Generated by OpenCVE AI on June 2, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Namelessmc
Namelessmc nameless
Vendors & Products Namelessmc
Namelessmc nameless

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause a victim's browser to navigate to it, resulting in the victim's session being authenticated as the attacker-linked account (OAuth login CSRF / session swapping). This is patched in version 2.2.5.
Title NamelessMC: OAuth callback `state` is not validated, allowing login CSRF / session swapping
Weaknesses CWE-302
CWE-346
CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Namelessmc Nameless
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T15:29:14.648Z

Reserved: 2026-03-27T18:18:14.896Z

Link: CVE-2026-34460

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-02T16:16:36.933

Modified: 2026-06-02T17:15:44.040

Link: CVE-2026-34460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T16:30:13Z

Weaknesses