Description
NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/classes/ForumPostReactionContext.php` only verifies that the caller can view the forum, but it does not re-enforce topic-level `view_other_topics` authorization. As a result, in forums where users may enter the forum but may only view their own topics, reactions can still be read and modified on other users' topics. Version 2.2.5 fixes the issue.
Published: 2026-06-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Modules in NamelessMC 2.2.4 incorrectly validate permissions for forum reactions when only a "view forum" check is performed, overlooking the topic‑level "view_other_topics" authorization. This allows a user who can create or view reactions to read and change reactions on topics they are not allowed to see, effectively breaking the intended access control model for forum content.

Affected Systems

NamelessMC community forum software (vendor Nameless). The bug affects the 2.2.4 release; version 2.2.5 and later contain the fix.

Risk and Exploitability

The CVSS score of 5.3 places the issue in the moderate severity range. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated and able to post reactions; with those permissions, they can override topic‑level visibility controls. The risk is notable for larger communities where reaction data includes sensitive context or user identity, but it does not provide full remote code execution or system compromise.

Generated by OpenCVE AI on June 2, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to NamelessMC version 2.2.5 or newer, which removes the missing authorization check.
  • If upgrading is not possible, disable or restrict the reaction feature so that only trusted roles can use it.
  • Audit user permissions to ensure that only users with the "view_other_topics" capability can post reactions, and monitor reaction logs for unexpected modifications.

Generated by OpenCVE AI on June 2, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Namelessmc
Namelessmc nameless
Vendors & Products Namelessmc
Namelessmc nameless

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/classes/ForumPostReactionContext.php` only verifies that the caller can view the forum, but it does not re-enforce topic-level `view_other_topics` authorization. As a result, in forums where users may enter the forum but may only view their own topics, reactions can still be read and modified on other users' topics. Version 2.2.5 fixes the issue.
Title NamelessMC: Forum reactions bypass the "view own topics only" restriction
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Namelessmc Nameless
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T18:08:08.554Z

Reserved: 2026-04-02T19:25:52.192Z

Link: CVE-2026-35443

cve-icon Vulnrichment

Updated: 2026-06-02T18:06:50.008Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T17:16:28.283

Modified: 2026-06-02T20:16:35.280

Link: CVE-2026-35443

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T18:30:15Z

Weaknesses