CVE-2026-35447 Overview
CVE-2026-35447 is an authorization bypass vulnerability in NamelessMC, website software designed for Minecraft servers. The flaw exists in version 2.2.4, specifically in the profile page handler at modules/Core/pages/profile.php. The component processes wall post submissions and replies before checking whether the requesting user is authorized to view the target profile. Any authenticated user holding the profile.post permission can write wall posts to private or blocking profiles. The reply handler also fails to verify that the target wall post belongs to the current profile, enabling reply injection into arbitrary wall posts on other profiles. The issue is tracked as [CWE-201] and patched in version 2.2.5.
Critical Impact
Authenticated attackers can post to private profiles and inject replies into arbitrary wall posts owned by other users, bypassing profile privacy controls.
Affected Products
- NamelessMC version 2.2.4
- Minecraft community websites using NamelessMC
- Installations exposing the profile module to authenticated users
Discovery Timeline
- 2026-06-02 - CVE-2026-35447 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-35447
Vulnerability Analysis
The vulnerability stems from incorrect ordering of authorization checks within modules/Core/pages/profile.php. When a user requests a profile page, the controller processes incoming wall post and reply submissions before evaluating whether the viewer should have access to the profile being requested. NamelessMC supports private profiles and a user-level block feature that should prevent unauthorized viewers from interacting with restricted profiles. Because the write operations execute prior to the access check, the privacy enforcement is effectively skipped on POST requests. The reply branch contains a second flaw: it accepts a wall post identifier without confirming that the post belongs to the profile referenced in the URL. An attacker can therefore submit a reply through any accessible profile URL and target a wall post owned by a different profile entirely.
Root Cause
The root cause is broken access control combined with missing object ownership validation. The controller logic processes mutations before enforcing profile-level authorization, and the reply handler does not validate the relationship between the supplied post identifier and the profile context.
Attack Vector
Exploitation requires network access to the NamelessMC instance and an authenticated account that holds the profile.post permission. The attacker submits a crafted POST request targeting the profile endpoint of a private or blocking user, or supplies a wall post identifier belonging to another profile to inject a reply. No user interaction from the victim is needed.
No verified proof-of-concept code is available. See the GitHub Security Advisory for additional technical detail.
Detection Methods for CVE-2026-35447
Indicators of Compromise
- Wall posts or replies appearing on private profiles from accounts that should not have viewing access
- Reply records where the parent post identifier does not belong to the profile referenced in the originating request URL
- POST requests to /profile/<user> from accounts that received access-denied responses on the matching GET request
Detection Strategies
- Review web server access logs for POST requests to profile endpoints followed by inconsistent GET responses for the same path
- Query the NamelessMC database for wall post and reply rows whose author lacks viewing permission on the target profile owner
- Correlate profile.post permission usage against blocking relationships stored in the user table
Monitoring Recommendations
- Enable verbose logging on the profile module and forward events to a centralized log platform for review
- Alert on bursts of wall post or reply submissions targeting multiple distinct profiles from a single account
- Track changes to user privacy settings followed by content created on those profiles within a short window
How to Mitigate CVE-2026-35447
Immediate Actions Required
- Upgrade NamelessMC to version 2.2.5 or later, which corrects the authorization ordering and validates post ownership
- Audit existing wall posts and replies created on version 2.2.4 for entries authored by users without legitimate access
- Review and tighten the assignment of the profile.post permission across user groups
Patch Information
The maintainers released a fix in NamelessMC version 2.2.5. The patch enforces profile access checks before processing wall post and reply submissions and validates that a reply's parent post belongs to the profile in the request context. Details are published in the GitHub Security Advisory GHSA-c9xj-rxgw-g2hq.
Workarounds
- Temporarily revoke the profile.post permission from non-trusted user groups until the upgrade is applied
- Restrict access to the profile module at the web server or reverse proxy layer for unauthenticated and low-trust users
- Disable wall posts site-wide through the administrative configuration if upgrading immediately is not feasible
# Configuration example: upgrade NamelessMC via git
cd /var/www/nameless
git fetch --tags
git checkout v2.2.5
php core/includes/upgrade.php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
