{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28428", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:54:05.137Z", "datePublished": "2026-03-06T04:59:52.271Z", "dateUpdated": "2026-03-09T19:54:28.169Z"}, "containers": {"cna": {"title": "Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83"}, {"name": "https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc", "tags": ["x_refsource_MISC"], "url": "https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc"}], "affected": [{"vendor": "Talishar", "product": "Talishar", "versions": [{"version": "< a9c218efa37756c9e7eed056fbff6ee03f79aefc", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:59:52.271Z"}, "descriptions": [{"lang": "en", "value": "Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions \u2014 including sending chat messages and submitting game inputs \u2014 by supplying an empty authKey parameter (authKey=). The server-side validation uses a loose comparison that accepts an empty string as a valid credential, while correctly rejecting non-empty but incorrect keys. This asymmetry means the authentication mechanism can be completely bypassed without knowing any valid token. This issue has been patched in commit a9c218e."}], "source": {"advisory": "GHSA-2659-p579-wv83", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T19:54:17.946170Z", "id": "CVE-2026-28428", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:54:28.169Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28428", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T19:54:17.946170Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:54:23.944Z"}}], "cna": {"title": "Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions", "source": {"advisory": "GHSA-2659-p579-wv83", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Talishar", "product": "Talishar", "versions": [{"status": "affected", "version": "< a9c218efa37756c9e7eed056fbff6ee03f79aefc"}]}], "references": [{"url": "https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83", "name": "https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc", "name": "https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions \u2014 including sending chat messages and submitting game inputs \u2014 by supplying an empty authKey parameter (authKey=). The server-side validation uses a loose comparison that accepts an empty string as a valid credential, while correctly rejecting non-empty but incorrect keys. This asymmetry means the authentication mechanism can be completely bypassed without knowing any valid token. This issue has been patched in commit a9c218e."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:59:52.271Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28428", "state": "PUBLISHED", "dateUpdated": "2026-03-09T19:54:28.169Z", "dateReserved": "2026-02-27T15:54:05.137Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T04:59:52.271Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:talishar:talishar:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB6EC428-F449-46D5-B308-45979347E391", "versionEndExcluding": "2026-02-22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions \u2014 including sending chat messages and submitting game inputs \u2014 by supplying an empty authKey parameter (authKey=). The server-side validation uses a loose comparison that accepts an empty string as a valid credential, while correctly rejecting non-empty but incorrect keys. This asymmetry means the authentication mechanism can be completely bypassed without knowing any valid token. This issue has been patched in commit a9c218e."}, {"lang": "es", "value": "Talishar es un proyecto de Flesh and Blood creado por fans. Antes del commit a9c218e, una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n en la l\u00f3gica de validaci\u00f3n del endpoint de juego de Talishar permite a cualquier atacante no autenticado realizar acciones de juego autenticadas \u2014 incluyendo el env\u00edo de mensajes de chat y la introducci\u00f3n de entradas de juego \u2014 al proporcionar un par\u00e1metro authKey vac\u00edo (authKey=). La validaci\u00f3n del lado del servidor utiliza una comparaci\u00f3n laxa que acepta una cadena vac\u00eda como credencial v\u00e1lida, mientras que rechaza correctamente las claves no vac\u00edas pero incorrectas. Esta asimetr\u00eda significa que el mecanismo de autenticaci\u00f3n puede ser completamente omitido sin conocer ning\u00fan token v\u00e1lido. Este problema ha sido parcheado en el commit a9c218e."}], "id": "CVE-2026-28428", "lastModified": "2026-04-20T12:57:06.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T05:16:31.607", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Talishar/Talishar/commit/a9c218efa37756c9e7eed056fbff6ee03f79aefc"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Talishar/Talishar/security/advisories/GHSA-2659-p579-wv83"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,a9c218efa37756c9e7eed056fbff6ee03f79aefc)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Talishar", "source": "cna", "vendor": "Talishar"}, "product": "talishar", "vendor": "talishar"}], "analysis": {"en": {"generated_at": "2026-04-17T12:24:20.521956+00:00", "value": {"mitigation_remediation": ["Apply the patch that replaces the loose comparison with a strict equality check, addressing the authentication bypass (CWE\u2011287).", "Restart the Talishar server to load the corrected authentication logic.", "If patching is not immediately possible, temporarily configure the server to reject any game requests that lack a valid, non\u2011empty authKey or that provide an empty authKey, mitigating the authentication bypass."], "summary": {"action": "Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the Talishar fan\u2011made Flesh and Blood project. Any deployment of the game server running a version of the code prior to commit a9c218e is vulnerable; newer versions contain the patch.", "description_and_impact": "An authentication bypass flaw in Talishar\u2019s game endpoint validation allows any attacker to carry out actions that normally require authentication, such as sending chat messages or submitting game inputs, simply by providing an empty authKey parameter. The server compares the supplied credential loosely, accepting an empty string as valid while rejecting non\u2011empty incorrect keys, creating a critical asymmetry in the authentication logic.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1\u202f% suggests low current exploitation probability. The issue is not listed in the CISA KEV catalog. Because the attack requires only the submission of an empty authKey, it can be executed remotely over the public network without prior knowledge of valid credentials, effectively granting unauthenticated users privileged actions within the game."}}}}, "created": "2026-03-06T14:55:39.773026+00:00", "updated": "2026-04-17T12:30:06.264718+00:00", "vendors": ["talishar", "talishar$PRODUCT$talishar"]}