Description
The vulnerability is present in the ‘/addJugador’ endpoint:
* The 'keyJugador' and 'keyJugadorObjectiu' parameters allow the modification of other users’ information without requiring prior authorization validation. This could enable an authenticated attacker to alter any user’s ID and change their information.

* The ‘punts’ and ‘numObjectiusEliminats’ fields allow arbitrary data to be added because user input is not properly validated. This makes it possible to obtain authentic prizes, awarded by city councils, by falsifying game scores.

* In the ‘tokens’ field, administrative privileges can be self-assigned without server validation or prior authentication. This vulnerability could allow an authenticated attacker to grant themselves administrator permissions and thus escalate privileges.

* Numeric fields allow the entry of extremely long values, which can cause the system to crash. Successful exploitation of this vulnerability could allow an authenticated attacker to launch a denial-of-service (DoS) attack, preventing created games from being playable.

* The ‘urlImatge’ parameter allows server-side requests to arbitrary URLs, enabling the retrieval of users’ internal IP addresses, access to internal services, reading of local files, and unauthorized interaction with third-party APIs. An authenticated attacker could gain access to sensitive data.
Published: 2026-06-22
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The /addJugador endpoint in the Assassin game allows an attacker with an authenticated session to modify critical parameters such as keyJugador, keyJugadorObjectiu, punts, numObjectiusEliminats, and tokens without any authorization checks. This enables the attacker to change other users’ identities, inflate scores, claim rewards, and self‑assign administrative privileges. Additionally, numeric fields permit extremely large values that can cause application crashes, providing a denial‑of‑service vector. The urlImatge parameter performs server‑side requests to arbitrary URLs, exposing the server to SSRF attacks, internal network enumeration, file disclosure, and unauthorized interaction with third‑party APIs. Together these weaknesses mean that a logged‑in attacker can hijack accounts, alter game outcomes, sabotage gameplay, and potentially gain broader network access.

Affected Systems

The vulnerable product is Gaudire Assassin game. No specific version information is provided.

Risk and Exploitability

The vulnerability has a CVSS score of 9.4, indicating critical severity. While no EPSS score is reported, the lack of mitigation makes exploitation highly likely if the attacker obtains a valid account. The flaw is not listed in CISA’s KEV catalog. Attack requires authentication and then exploits lack of validation and authorization checks, making it straightforward for anyone who can log in to the game to gain elevated privileges or disrupt operations.

Generated by OpenCVE AI on June 22, 2026 at 14:38 UTC.

Remediation

Vendor Solution

There is no reported solution at this time.


OpenCVE Recommended Actions

  • Apply strict authentication and authorization checks before processing any request to the /addJugador endpoint.
  • Validate and sanitize all user input, enforce numeric type checks and length limits, and reject any value that exceeds safe boundaries to prevent crashes and data tampering.
  • Disallow server‑side URL fetching or whitelist approved domains for the urlImatge parameter to mitigate SSRF and internal disclosure risks.

Generated by OpenCVE AI on June 22, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Gaudire
Gaudire assassin Game
Vendors & Products Gaudire
Gaudire assassin Game

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description The vulnerability is present in the ‘/addJugador’ endpoint: * The 'keyJugador' and 'keyJugadorObjectiu' parameters allow the modification of other users’ information without requiring prior authorization validation. This could enable an authenticated attacker to alter any user’s ID and change their information. * The ‘punts’ and ‘numObjectiusEliminats’ fields allow arbitrary data to be added because user input is not properly validated. This makes it possible to obtain authentic prizes, awarded by city councils, by falsifying game scores. * In the ‘tokens’ field, administrative privileges can be self-assigned without server validation or prior authentication. This vulnerability could allow an authenticated attacker to grant themselves administrator permissions and thus escalate privileges. * Numeric fields allow the entry of extremely long values, which can cause the system to crash. Successful exploitation of this vulnerability could allow an authenticated attacker to launch a denial-of-service (DoS) attack, preventing created games from being playable. * The ‘urlImatge’ parameter allows server-side requests to arbitrary URLs, enabling the retrieval of users’ internal IP addresses, access to internal services, reading of local files, and unauthorized interaction with third-party APIs. An authenticated attacker could gain access to sensitive data.
Title Multiple vulnerabilities in the Assassin game by Gaudire
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


Subscriptions

Gaudire Assassin Game
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-06-22T15:45:24.290Z

Reserved: 2026-04-27T07:25:26.958Z

Link: CVE-2026-7165

cve-icon Vulnrichment

Updated: 2026-06-22T15:45:19.861Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:03:34Z

Weaknesses
  • CWE-20

    Improper Input Validation