CVE-2026-28428 (GCVE-0-2026-28428)
Vulnerability from cvelistv5 – Published: 2026-03-06 04:59 – Updated: 2026-03-09 19:54
VLAI?
Title
Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions
Summary
Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions — including sending chat messages and submitting game inputs — by supplying an empty authKey parameter (authKey=). The server-side validation uses a loose comparison that accepts an empty string as a valid credential, while correctly rejecting non-empty but incorrect keys. This asymmetry means the authentication mechanism can be completely bypassed without knowing any valid token. This issue has been patched in commit a9c218e.
Severity ?
5.3 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28428",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T19:54:17.946170Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T19:54:28.169Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Talishar",
"vendor": "Talishar",
"versions": [
{
"status": "affected",
"version": "\u003c a9c218efa37756c9e7eed056fbff6ee03f79aefc"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar\u0027s game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions \u2014 including sending chat messages and submitting game inputs \u2014 by supplying an empty authKey parameter (authKey=). The server-side validation uses a loose comparison that accepts an empty string as a valid credential, while correctly rejecting non-empty but incorrect keys. This asymmetry means the authentication mechanism can be completely bypassed without knowing any valid token. This issue has been patched in commit a9c218e."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T04:59:52.271Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83"
},
{
"name": "https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc"
}
],
"source": {
"advisory": "GHSA-2659-p579-wv83",
"discovery": "UNKNOWN"
},
"title": "Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28428",
"datePublished": "2026-03-06T04:59:52.271Z",
"dateReserved": "2026-02-27T15:54:05.137Z",
"dateUpdated": "2026-03-09T19:54:28.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-28428",
"date": "2026-04-20",
"epss": "0.00187",
"percentile": "0.40515"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-28428\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-06T05:16:31.607\",\"lastModified\":\"2026-04-20T12:57:06.860\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar\u0027s game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions \u2014 including sending chat messages and submitting game inputs \u2014 by supplying an empty authKey parameter (authKey=). The server-side validation uses a loose comparison that accepts an empty string as a valid credential, while correctly rejecting non-empty but incorrect keys. This asymmetry means the authentication mechanism can be completely bypassed without knowing any valid token. This issue has been patched in commit a9c218e.\"},{\"lang\":\"es\",\"value\":\"Talishar es un proyecto de Flesh and Blood creado por fans. Antes del commit a9c218e, una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n en la l\u00f3gica de validaci\u00f3n del endpoint de juego de Talishar permite a cualquier atacante no autenticado realizar acciones de juego autenticadas \u2014 incluyendo el env\u00edo de mensajes de chat y la introducci\u00f3n de entradas de juego \u2014 al proporcionar un par\u00e1metro authKey vac\u00edo (authKey=). La validaci\u00f3n del lado del servidor utiliza una comparaci\u00f3n laxa que acepta una cadena vac\u00eda como credencial v\u00e1lida, mientras que rechaza correctamente las claves no vac\u00edas pero incorrectas. Esta asimetr\u00eda significa que el mecanismo de autenticaci\u00f3n puede ser completamente omitido sin conocer ning\u00fan token v\u00e1lido. Este problema ha sido parcheado en el commit a9c218e.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:talishar:talishar:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2026-02-22\",\"matchCriteriaId\":\"EB6EC428-F449-46D5-B308-45979347E391\"}]}]}],\"references\":[{\"url\":\"https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28428\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-09T19:54:17.946170Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-09T19:54:23.944Z\"}}], \"cna\": {\"title\": \"Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions\", \"source\": {\"advisory\": \"GHSA-2659-p579-wv83\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Talishar\", \"product\": \"Talishar\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c a9c218efa37756c9e7eed056fbff6ee03f79aefc\"}]}], \"references\": [{\"url\": \"https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83\", \"name\": \"https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc\", \"name\": \"https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar\u0027s game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions \\u2014 including sending chat messages and submitting game inputs \\u2014 by supplying an empty authKey parameter (authKey=). The server-side validation uses a loose comparison that accepts an empty string as a valid credential, while correctly rejecting non-empty but incorrect keys. This asymmetry means the authentication mechanism can be completely bypassed without knowing any valid token. This issue has been patched in commit a9c218e.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-06T04:59:52.271Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-28428\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-09T19:54:28.169Z\", \"dateReserved\": \"2026-02-27T15:54:05.137Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-06T04:59:52.271Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…