CVE-2026-28428 Overview
CVE-2026-28428 is an authentication bypass vulnerability in Talishar, a fan-made Flesh and Blood online card game project. The vulnerability exists in the game endpoint validation logic, where a loose comparison allows any unauthenticated attacker to perform authenticated game actions by supplying an empty authKey parameter (authKey=). This flaw enables attackers to send chat messages and submit game inputs without possessing valid credentials.
Critical Impact
Unauthenticated attackers can completely bypass authentication by submitting an empty authKey parameter, gaining full access to authenticated game actions including chat messaging and game input submission.
Affected Products
- Talishar (all versions prior to commit a9c218e)
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-28428 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-28428
Vulnerability Analysis
This vulnerability stems from PHP's type juggling behavior when using loose comparison operators (!= vs !==). The authentication mechanism compares user-supplied authKey values against stored player authentication tokens. When an empty string is provided as the authKey parameter, PHP's loose comparison evaluates the check as passing, allowing unauthenticated access. However, the same check correctly rejects non-empty but incorrect keys, creating an exploitable asymmetry in the authentication logic.
The vulnerability is classified under CWE-287 (Improper Authentication), indicating a fundamental flaw in how the application verifies user identity before allowing access to protected functionality.
Root Cause
The root cause is the use of PHP's loose comparison operator (!=) instead of the strict comparison operator (!==) when validating authentication keys. In PHP, loose comparisons perform type juggling, where an empty string compared to another value using != can produce unexpected results. When $authKey is an empty string and $targetAuth contains a non-empty authentication token, the loose comparison $authKey != $targetAuth evaluates to false in certain edge cases due to PHP's type coercion rules, effectively bypassing the authentication check.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying game API endpoints that require authentication (e.g., ChooseFirstPlayer.php, GetLastActiveGame.php)
- Sending requests to these endpoints with an empty authKey parameter
- The server's loose comparison accepts the empty string as valid credentials
- The attacker gains ability to perform authenticated actions within any active game session
The following code shows the security patch that addresses this vulnerability:
include "../MenuFiles/WriteGamefile.php";
$targetAuth = ($playerID == 1 ? $p1Key : $p2Key);
-if ($authKey != $targetAuth) {
+if ($authKey !== $targetAuth) {
// Failsafe: Use game file's auth key if mismatch (lost on page refresh)
$authKey = $targetAuth;
}
Source: GitHub Commit Details
The fix replaces the loose comparison operator (!=) with PHP's strict comparison operator (!==), which compares both value and type, preventing empty strings from bypassing authentication.
Detection Methods for CVE-2026-28428
Indicators of Compromise
- HTTP requests to game API endpoints containing authKey= with an empty value
- Unusual game actions or chat messages originating from sessions with no valid authentication
- Log entries showing successful game interactions without corresponding login events
Detection Strategies
- Monitor web server access logs for requests containing authKey=& or authKey=$ patterns indicating empty authentication parameters
- Implement anomaly detection for game sessions that perform actions without establishing valid authentication
- Review application logs for authentication validation events with empty or null key values
Monitoring Recommendations
- Enable detailed logging on all game API endpoints to capture authentication parameter values
- Set up alerts for repeated requests with empty authentication parameters from the same source IP
- Implement rate limiting on game action endpoints to reduce the impact of automated exploitation attempts
How to Mitigate CVE-2026-28428
Immediate Actions Required
- Update Talishar to commit a9c218e or later immediately
- Review server logs for evidence of exploitation attempts using empty authKey parameters
- Audit any other authentication comparison logic in the codebase for similar loose comparison vulnerabilities
Patch Information
The vulnerability has been patched in commit a9c218efa37756c9e7eed056fbff6ee03f79aefc. The patch modifies multiple API files including ChooseFirstPlayer.php and GetLastActiveGame.php to use strict comparison operators (!==) instead of loose comparisons (!=) when validating authentication keys. For detailed information, see the GitHub Security Advisory GHSA-2659.
Workarounds
- If immediate patching is not possible, implement web application firewall rules to block requests with empty authKey parameters
- Add server-side input validation to reject empty authentication tokens before comparison logic executes
- Consider temporarily disabling affected game endpoints until the patch can be applied
# Example nginx configuration to block empty authKey parameters
location ~ ^/APIs/ {
if ($arg_authKey = "") {
return 403;
}
# ... existing configuration
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
