Description
XianYuLauncher is a Minecraft Java Edition launcher. In versions prior to 1.5.5, sensitive authentication artifacts could be exposed during a user-initiated login under certain local attack conditions. Affected versions relied on a fixed localhost redirect URI without PKCE or state validation. Exploitation is most likely to occur when an attacker is able to observe, intercept, or otherwise interfere with the local authentication flow on the same device. This issue has been fixed in version 1.5.5.
Published: 2026-06-17
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in an OAuth redirect endpoint that hard‑codes a localhost URL and omits PKCE and state validation, creating a credential‑exposure weakness (CWE‑287). When a user initiates a Microsoft account login, sensitive tokens may be stored or logged locally, which an attacker with the ability to observe or intercept the local communication could acquire, enabling credential reuse or unauthorized account access.

Affected Systems

The issue affects all releases of XianYuLauncher earlier than 1.5.5. Versions 1.5.5 and newer incorporate PKCE and state checks and are not susceptible to this flaw.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% reflects a very low likelihood of active exploitation, and the flaw is not listed in CISA’s KEV catalog. Nonetheless, exploitation requires a local attack vector—typically the presence of a malicious process on the same device that can intercept loopback traffic. In environments where multiple users share the same machine or where untrusted software can establish local connections, the risk profile rises. Promptly applying the vendor’s fix mitigates this risk. If an update cannot occur immediately, the risk remains until a suitable workaround is implemented.

Generated by OpenCVE AI on June 18, 2026 at 19:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update XianYuLauncher to version 1.5.5 or later, which adds PKCE and state validation to the OAuth flow.
  • Restrict local loopback connections by ensuring only trusted system services can listen on localhost, and terminate or isolate any untrusted processes that might intercept traffic.
  • Configure network or firewall rules to prevent unauthorized local socket connections or to enforce that OAuth redirects are handled only by the launcher’s process.

Generated by OpenCVE AI on June 18, 2026 at 19:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description XianYuLauncher is a Minecraft Java Edition launcher. In versions prior to 1.5.5, sensitive authentication artifacts could be exposed during a user-initiated login under certain local attack conditions. Affected versions relied on a fixed localhost redirect URI without PKCE or state validation. Exploitation is most likely to occur when an attacker is able to observe, intercept, or otherwise interfere with the local authentication flow on the same device. This issue has been fixed in version 1.5.5.
Title XianYuLauncher: Legacy Microsoft account OAuth sign-in flow lacks PKCE and state validation
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T12:55:23.190Z

Reserved: 2026-05-26T23:26:07.975Z

Link: CVE-2026-48991

cve-icon Vulnrichment

Updated: 2026-06-18T12:55:15.497Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:15:02Z

Weaknesses