CVE-2026-40314 Overview
CVE-2026-40314 is a missing authorization vulnerability [CWE-862] in NamelessMC, the website software for Minecraft servers. Version 2.2.4 fails to enforce profile visibility checks on wall post reactions. The file core/classes/Misc/ProfilePostReactionContext.php only verifies that the wall post exists, without validating blocked or private profile status. The endpoint modules/Core/queries/reactions.php accepts unauthenticated GET requests for reaction details. Unauthenticated visitors can read reaction participants and timestamps on private profile posts. Authenticated low-privileged users can add reactions to private or blocking profile posts. NamelessMC version 2.2.5 resolves the issue.
Critical Impact
Unauthenticated attackers can enumerate reaction metadata on private profile posts, breaking the access boundaries enforced for blocked and private profiles.
Affected Products
- NamelessMC 2.2.4
- NamelessMC versions earlier than 2.2.5 (per advisory scope)
- Minecraft community sites running vulnerable NamelessMC instances
Discovery Timeline
- 2026-06-02 - CVE-2026-40314 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-40314
Vulnerability Analysis
The vulnerability stems from missing access control on the reactions feature for profile wall posts. NamelessMC supports private profiles and user blocking, but the reaction context class does not consult these visibility rules. As a result, the authorization model around profile posts is incomplete: visibility checks exist for the posts themselves but not for related reaction data.
Two distinct exposures result from this gap. First, unauthenticated GET requests to the reactions query endpoint return reaction participants and timestamps, leaking social graph and activity metadata. Second, authenticated low-privileged users can post reactions to wall posts on profiles that are private or have blocked them, bypassing the intended blocklist enforcement.
The issue is classified under [CWE-862] Missing Authorization. The flaw does not yield code execution or data modification beyond reaction records, but it undermines privacy controls users rely on.
Root Cause
The root cause is incomplete authorization logic in core/classes/Misc/ProfilePostReactionContext.php. The class checks only the existence of the target wall post and omits checks for private profile status and active blocks between the actor and the profile owner. The companion endpoint modules/Core/queries/reactions.php lacks an authentication requirement entirely, allowing anonymous reads of reaction details tied to otherwise restricted posts.
Attack Vector
An attacker reaches the vulnerable endpoint over the network with no authentication. To enumerate reactions, the attacker issues GET requests to the reactions query endpoint referencing wall post identifiers on private profiles. To add reactions to a private or blocking profile, the attacker authenticates as any low-privileged user and submits a reaction request against the target wall post. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-40314
Indicators of Compromise
- Unauthenticated GET requests to modules/Core/queries/reactions.php referencing wall post IDs belonging to private profiles.
- Reaction records on private profile posts originating from users on the profile owner's block list.
- Spikes in anonymous traffic targeting reaction query endpoints across multiple post identifiers, suggesting enumeration.
Detection Strategies
- Review web server access logs for requests to reactions.php lacking an authenticated session cookie.
- Correlate database reaction entries against the profile privacy and block tables to identify entries that violate visibility rules.
- Alert on sequential enumeration patterns where a single source iterates wall post IDs against the reactions endpoint.
Monitoring Recommendations
- Enable verbose HTTP request logging on NamelessMC front-end servers and forward to a centralized analytics platform.
- Monitor for repeated 200 OK responses from reactions.php to unauthenticated clients.
- Track per-IP request rates to /queries/reactions.php and flag bursts that exceed normal user behavior.
How to Mitigate CVE-2026-40314
Immediate Actions Required
- Upgrade all NamelessMC instances to version 2.2.5 or later, which enforces blocked and private profile visibility on reactions.
- Audit existing reaction records for entries that violate current privacy or block relationships and remove them.
- Notify users that reaction metadata on private posts in version 2.2.4 should be considered exposed.
Patch Information
NamelessMC released version 2.2.5 to address CVE-2026-40314. The patch updates core/classes/Misc/ProfilePostReactionContext.php to enforce blocked and private profile visibility and adds authentication requirements to modules/Core/queries/reactions.php. Patch details are published in the GitHub Security Advisory GHSA-55q9-8qm3-4grc.
Workarounds
- Restrict access to modules/Core/queries/reactions.php at the web server or WAF layer to authenticated sessions only.
- Temporarily disable the reactions feature on profile wall posts until the upgrade to 2.2.5 is complete.
- Apply request rate limiting on reaction endpoints to slow enumeration of private profile post metadata.
# Example nginx configuration restricting unauthenticated access to reactions endpoint
location = /modules/Core/queries/reactions.php {
if ($http_cookie !~* "PHPSESSID") {
return 403;
}
limit_req zone=reactions burst=10 nodelay;
include fastcgi_params;
fastcgi_pass php_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
