CVE-2026-28428

⚪ Do wiadomości

Obejście uwierzytelnienia w Talishar umożliwia nieautoryzowanym atakującym wykonywanie akcji w grze.

CVSS

5.3

EPSS

0.2%

Exploit

poc

Vendor

talishar

Opis źródłowy (NVD)

Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions — including sending chat messages and submitting game inputs — by supplying an empty authKey parameter (authKey=). The server-side validation uses a loose comparison that accepts an empty string as a valid credential, while correctly rejecting non-empty but incorrect keys. This asymmetry means the authentication mechanism can be completely bypassed without knowing any valid token. This issue has been patched in commit a9c218e.

auth-bypass exploit Brak patcha

Źródła i daty

Źródło	Wartość
NVD – CVSS	5.3
CISA KEV (aktywnie wykorzystywane)	Nie
FIRST EPSS (prawdopodobieństwo exploita)	0.2%
Opublikowano (NVD)	2026-03-06 05:16:31 UTC
Ostatnia modyfikacja (NVD)	2026-04-20 12:57:06 UTC

Referencje

https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc (security-advisories@github.com) [Patch]
https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83 (security-advisories@github.com) [Exploit, Vendor Advisory]