Description
NamelessMC is website software for Minecraft servers. In version 2.2.4,`core/classes/Misc/ProfilePostReactionContext.php` only verifies that the wall post exists and does not enforce blocked/private-profile visibility. `modules/Core/queries/reactions.php` allows unauthenticated GET requests for reaction details. This means that unauthenticated visitors can read reaction participants and timestamps for private profile posts and uthenticated low-privileged users can add reactions to private or blocking profile posts. Version 2.2.5 fixes the issue.
Published: 2026-06-02
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in NamelessMC 2.2.4 allows unauthenticated users to retrieve reaction details on private profile posts via a GET request, and lets authenticated users with low privileges add reactions to those private or blocking posts. This provides attackers with visibility into the identity and actions of users who intended to keep their posts private, and can lead to unauthorized engagement on sensitive content. The weakness is a classic authorization bypass, categorized under CWE‑862. The impact is a breach of confidentiality and potential consent violations, but does not directly compromise the underlying system or leak credentials.

Affected Systems

NamelessMC web platform for Minecraft servers, specifically version 2.2.4. The issue was addressed in version 2.2.5, which enforces proper visibility checks for reactions on private or blocking profile posts.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it remotely by making unauthenticated GET requests or by simply adding reactions if they have low‑privilege access, meaning that denial of proper authorization controls is the primary risk factor. The presence of a dedicated fix in the next release indicates that the attack vector relies on insufficient access checks rather than complex conditions.

Generated by OpenCVE AI on June 2, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NamelessMC to version 2.2.5 or later, which validates post visibility before exposing or allowing reaction data.
  • If an upgrade is not immediately possible, configure the platform to disable reactions on private posts or temporarily remove the reaction feature from those posts.
  • Review and tighten user role permissions to ensure that only users with appropriate privileges can create or view reactions, and audit application logs for suspicious reaction activity.

Generated by OpenCVE AI on June 2, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Namelessmc
Namelessmc nameless
Vendors & Products Namelessmc
Namelessmc nameless

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description NamelessMC is website software for Minecraft servers. In version 2.2.4,`core/classes/Misc/ProfilePostReactionContext.php` only verifies that the wall post exists and does not enforce blocked/private-profile visibility. `modules/Core/queries/reactions.php` allows unauthenticated GET requests for reaction details. This means that unauthenticated visitors can read reaction participants and timestamps for private profile posts and uthenticated low-privileged users can add reactions to private or blocking profile posts. Version 2.2.5 fixes the issue.
Title NamelessMC: Reactions on private or blocking profile posts can be read and modified without proper authorization
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Namelessmc Nameless
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T17:23:37.908Z

Reserved: 2026-04-10T21:41:54.505Z

Link: CVE-2026-40314

cve-icon Vulnrichment

Updated: 2026-06-02T17:22:59.669Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T17:16:28.867

Modified: 2026-06-02T20:16:35.737

Link: CVE-2026-40314

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T18:30:15Z

Weaknesses