CVE-2026-33398
Description
NamelessMC 2.2.4 allows authenticated users to read hidden forum posts by exploiting a lack of ACL checks in the get_quotes.php endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NamelessMC 2.2.4 allows authenticated users to read hidden forum posts by exploiting a lack of ACL checks in the get_quotes.php endpoint.
Vulnerability
NamelessMC versions prior to 2.2.5 contain a vulnerability in modules/Forum/pages/forum/get_quotes.php. This script only checks if a user is logged in and then retrieves a post based on an attacker-controlled post ID. The backend helper in modules/Forum/classes/Forum.php does not enforce forum or topic Access Control Lists (ACLs), unlike the normal topic page which does enforce visibility and topic permissions.
Exploitation
An attacker with low-privileged authenticated access can exploit this vulnerability. By iterating through post IDs, they can query the /forum/get_quotes endpoint. The application will return the content of posts, even if they reside in hidden, private, or staff-only forums, as the necessary ACL checks are bypassed [1].
Impact
Successful exploitation allows any low-privileged authenticated user to read content from restricted forums. This includes sensitive information posted in hidden, private, or staff-only sections, leading to unauthorized information disclosure [1].
Mitigation
NamelessMC version 2.2.5 addresses this issue by applying the same authorization checks used by view_topic.php and enforcing topic/forum ACL validation before Forum::getIndividualPost() returns content. Users should update to version 2.2.5 or later. If an immediate update is not possible, it is recommended to apply the same authorization checks as a workaround [1].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.2.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `get_quotes.php` script fails to enforce forum and topic access control lists before returning post content."
Attack vector
An attacker with low privileges must be logged into the system. They can then enumerate post IDs and send requests to the `/forum/get_quotes` endpoint with an attacker-controlled `post` ID. This bypasses the normal topic page's ACL checks, allowing access to content from hidden, private, or staff-only forums [ref_id=1].
Affected code
The vulnerability lies within `modules/Forum/pages/forum/get_quotes.php`, which only verifies if a user is logged in. The backend helper in `modules/Forum/classes/Forum.php` does not enforce necessary ACLs, unlike the normal topic page in `modules/Forum/pages/forum/view_topic.php` [ref_id=1].
What the fix does
The advisory indicates that the fix involves applying the same authorization checks used by `view_topic.php` to the `get_quotes.php` endpoint. Specifically, it requires enforcing topic and forum ACL validation before the `Forum::getIndividualPost()` function returns content. This prevents unauthorized users from accessing restricted posts [ref_id=1].
Preconditions
- authThe attacker must be a low-privileged authenticated user.
- inputThe attacker needs to know or enumerate a post ID.
Reproduction
docker exec -w /data nameless-224-php-1 php dev/scripts/request_runner.php \ --uri='/forum/get_quotes?post=2' \ --session-id='mforum_hidden' \ --session-json='{"2user":"memberhash1234567890abcdef","2token":"tok"}'
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.