Description
NamelessMC is website software for Minecraft servers. In version 2.2.4, `core/classes/Misc/ProfilePostReactionContext.php` only verifies that the wall post exists and does not enforce blocked/private-profile visibility. This means that authenticated low-privileged users can add reactions to private or blocking profile posts. Version 2.2.5 contains a patch.
Published: 2026-06-02
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in NamelessMC 2.2.4 lies in the reaction handling routine, where only the existence of a wall post is validated but visibility restrictions for private posts and block checks are omitted. This missing authorization allows an authenticated user with low privileges to attach reactions to posts that should remain hidden. The result is an unauthorized association of the user with private or blocked content, potentially infringing privacy and facilitating harassment. This issue is formally described as CWE‑862, indicating a missing authorization check.

Affected Systems

NamelessMC version 2.2.4 is the only affected release; the patch that restores the authorization check was delivered in version 2.2.5 and applies to all later releases.

Risk and Exploitability

The CVSS score of 5.3 denotes moderate risk. EPSS data is not provided and the vulnerability is not listed in the CISA KEV catalog, implying no large‑scale exploitation to date. Based on the description, it is inferred that an attacker must already be authenticated and use the web interface that submits reaction data to exploit the bug. The impact is limited to privacy violations by allowing reactions on private or blocked posts, not a full system compromise.

Generated by OpenCVE AI on June 2, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NamelessMC to version 2.2.5 or later to restore missing authorization checks
  • Disable reactions to private or blocked profile posts through site settings or apply a temporary custom patch until the official update is installed
  • Restrict low‑privileged user permissions so that only users with appropriate roles can add reactions on private or blocked posts

Generated by OpenCVE AI on June 2, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Namelessmc
Namelessmc nameless
Vendors & Products Namelessmc
Namelessmc nameless

Tue, 02 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description NamelessMC is website software for Minecraft servers. In version 2.2.4, `core/classes/Misc/ProfilePostReactionContext.php` only verifies that the wall post exists and does not enforce blocked/private-profile visibility. This means that authenticated low-privileged users can add reactions to private or blocking profile posts. Version 2.2.5 contains a patch.
Title NamelessMC: Reactions on private or blocking profile posts can be modified without proper authorization
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Namelessmc Nameless
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T16:44:14.286Z

Reserved: 2026-04-14T13:24:29.474Z

Link: CVE-2026-40571

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-02T17:16:29.020

Modified: 2026-06-02T17:18:38.120

Link: CVE-2026-40571

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T19:00:13Z

Weaknesses