Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-34460
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-02 Jun, 2026 | 15:29
Updated At-02 Jun, 2026 | 17:35
Rejected At-
▼CVE Numbering Authority (CNA)
NamelessMC: OAuth callback `state` is not validated, allowing login CSRF / session swapping

NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause a victim's browser to navigate to it, resulting in the victim's session being authenticated as the attacker-linked account (OAuth login CSRF / session swapping). This is patched in version 2.2.5.

Affected Products
Vendor
NamelessMC
Product
Nameless
Versions
Affected
  • < 2.2.5
Problem Types
TypeCWE IDDescription
CWECWE-302CWE-302: Authentication Bypass by Assumed-Immutable Data
CWECWE-346CWE-346: Origin Validation Error
CWECWE-352CWE-352: Cross-Site Request Forgery (CSRF)
Type: CWE
CWE ID: CWE-302
Description: CWE-302: Authentication Bypass by Assumed-Immutable Data
Type: CWE
CWE ID: CWE-346
Description: CWE-346: Origin Validation Error
Type: CWE
CWE ID: CWE-352
Description: CWE-352: Cross-Site Request Forgery (CSRF)
Metrics
VersionBase scoreBase severityVector
3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/NamelessMC/Nameless/security/advisories/GHSA-pmpw-2xvh-5xj6
x_refsource_CONFIRM
Hyperlink: https://github.com/NamelessMC/Nameless/security/advisories/GHSA-pmpw-2xvh-5xj6
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/NamelessMC/Nameless/security/advisories/GHSA-pmpw-2xvh-5xj6
exploit
Hyperlink: https://github.com/NamelessMC/Nameless/security/advisories/GHSA-pmpw-2xvh-5xj6
Resource:
exploit
Details not found