CVE-2026-35443 Overview
CVE-2026-35443 is a missing authorization vulnerability [CWE-862] in NamelessMC, website software for Minecraft servers. The flaw exists in modules/Forum/classes/ForumPostReactionContext.php in version 2.2.4. The code verifies that the caller can view the forum but fails to re-enforce topic-level view_other_topics authorization. Authenticated users in forums configured to restrict topic visibility can read and modify reactions on other users' topics. Version 2.2.5 fixes the issue.
Critical Impact
Authenticated users can bypass topic-level visibility restrictions to access and modify reactions on forum topics they should not be able to view.
Affected Products
- NamelessMC version 2.2.4
- NamelessMC Forum module (modules/Forum)
- Minecraft server websites using NamelessMC for community features
Discovery Timeline
- 2026-06-02 - CVE-2026-35443 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-35443
Vulnerability Analysis
The vulnerability resides in the ForumPostReactionContext.php class within the NamelessMC Forum module. NamelessMC supports a permission model where administrators can restrict topic visibility within a forum. The view_other_topics permission controls whether users can see topics created by other members. When this permission is denied, users should only interact with their own topics.
The reaction context handler performs an authorization check only at the forum level. It verifies that the requesting user has permission to view the forum container itself. This single-layer check ignores the granular topic-level authorization required when view_other_topics is restricted.
As a result, an authenticated user can interact with reaction endpoints tied to topics created by other users. The user can both read reaction data and modify reactions on those topics, breaking the configured access boundary.
Root Cause
The root cause is incomplete authorization enforcement [CWE-862]. The code path validates forum-level access but omits the topic-level check for view_other_topics. Authorization logic that exists elsewhere in the application for direct topic viewing is not mirrored in the reaction context handler.
Attack Vector
An authenticated attacker with the lowest level of forum access submits requests to the reaction endpoint targeting topics owned by other users. Because privileges are required and the attack is delivered over the network, exploitation is straightforward but limited to users who already hold an account on the affected NamelessMC instance. The result is unauthorized read and write access to reaction data on restricted topics. No verified public exploit code is available. See the GitHub Security Advisory for additional technical detail.
Detection Methods for CVE-2026-35443
Indicators of Compromise
- Web access log entries showing repeated requests to forum reaction endpoints from non-administrative user accounts targeting topic IDs the user did not author.
- Database rows in the reactions table associating user IDs with topics in forums where those users lack view_other_topics permission.
- Application audit log entries recording reaction additions or removals on topics not owned by the acting user.
Detection Strategies
- Audit the reactions table and join against topic ownership and forum permission settings to identify anomalous cross-user reaction activity.
- Inspect HTTP request logs for high-volume access to ForumPostReactionContext endpoints by accounts with restricted permissions.
- Review NamelessMC version reporting across managed instances to identify hosts still running version 2.2.4.
Monitoring Recommendations
- Forward web server and PHP application logs to a centralized logging platform for permission-context analysis.
- Alert on reaction modifications performed by users who lack the view_other_topics permission for the parent forum.
- Track NamelessMC version inventory and flag any deployments at or below version 2.2.4.
How to Mitigate CVE-2026-35443
Immediate Actions Required
- Upgrade NamelessMC to version 2.2.5, which adds the missing topic-level authorization check in ForumPostReactionContext.php.
- Audit forum permission configurations and confirm that view_other_topics restrictions are applied as intended on sensitive forums.
- Review reaction data on restricted forums for entries that predate the upgrade and may reflect prior unauthorized activity.
Patch Information
The maintainers released NamelessMC 2.2.5 with the fix. The patch adds the topic-level view_other_topics authorization check to the reaction context handler. Refer to the NamelessMC GHSA-wcrf-5gcp-pf64 advisory for the official advisory.
Workarounds
- If immediate upgrade is not feasible, disable the Forum module on instances that rely on view_other_topics restrictions until the patch is applied.
- Temporarily grant view_other_topics only to trusted user groups and remove the permission from default member roles to limit exposure.
- Restrict account registration on affected instances to reduce the population of authenticated users who could exercise the flaw.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
