CVE-2026-34460

An attacker can craft a malicious OAuth callback URL containing their own account's state parameter. By tricking a victim into visiting this URL, the attacker can cause the victim's browser session to be authenticated as the attacker-linked account. This occurs because the application does not verify that the returned state parameter matches a server-side value previously generated for the user's session [ref_id=1]. The vulnerability is described as OAuth login CSRF or session swapping [ref_id=1].

The vulnerability lies within the OAuth callback handling logic. Specifically, the application accepts OAuth callback requests based on provider and code but fails to verify the returned state parameter against a server-side stored value. The relevant code locations identified are core/classes/Misc/NamelessOAuth.php and modules/Core/pages/oauth.php [ref_id=1].

The patch addresses the vulnerability by implementing server-side validation of the OAuth state parameter. The application will now generate a cryptographically random state value per authorization request and store it server-side within the user's session. Upon receiving a callback, the application will compare the provided state parameter against the stored session value, rejecting the callback if they do not match. The stored state is then cleared after processing [ref_id=1].

1. Configure Discord OAuth for the NamelessMC instance. 2. Create a NamelessMC account linked to an attacker-controlled Discord account. 3. In an attacker browser session, initiate the 'Login with Discord' flow. 4. Intercept the final OAuth callback request (e.g., GET /index.php?route=%2Foauth%2F&provider=discord&code=<attacker_code>&state=<attacker_state>) before it reaches the application and do not forward it. 5. In a victim browser session, visit /login to create a login-related OAuth session state. 6. In the victim's browser, navigate to the attacker-captured callback URL. 7. Observe that the victim session is logged into the attacker-linked NamelessMC account [ref_id=1].