CVE-2026-28428

Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions — including sending chat messages and submitting game inputs — by supplying an empty authKey parameter (authKey=). The server-side validation uses a loose comparison that accepts an empty string as a valid credential, while correctly rejecting non-empty but incorrect keys. This asymmetry means the authentication mechanism can be completely bypassed without knowing any valid token. This issue has been patched in commit a9c218e.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc	Patch
https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:talishar:talishar:*:*:*:*:*:*:*:*

History

20 Apr 2026, 12:57

Type	Values Removed	Values Added
First Time		Talishar talishar Talishar
CPE		cpe:2.3:a:talishar:talishar::::::::
References	~~() https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc -~~	() https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc - Patch
References	~~() https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83 -~~	() https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83 - Exploit, Vendor Advisory

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) Talishar es un proyecto de Flesh and Blood creado por fans. Antes del commit a9c218e, una vulnerabilidad de omisión de autenticación en la lógica de validación del endpoint de juego de Talishar permite a cualquier atacante no autenticado realizar acciones de juego autenticadas — incluyendo el envío de mensajes de chat y la introducción de entradas de juego — al proporcionar un parámetro authKey vacío (authKey=). La validación del lado del servidor utiliza una comparación laxa que acepta una cadena vacía como credencial válida, mientras que rechaza correctamente las claves no vacías pero incorrectas. Esta asimetría significa que el mecanismo de autenticación puede ser completamente omitido sin conocer ningún token válido. Este problema ha sido parcheado en el commit a9c218e.

06 Mar 2026, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 05:16

Updated : 2026-04-20 12:57

NVD link : CVE-2026-28428

Mitre link : CVE-2026-28428

CVE.ORG link : CVE-2026-28428

JSON object : View

Products Affected

talishar

talishar

CWE

CWE-287

Improper Authentication

5.3 /10