CVE-2026-35443
Description
NamelessMC 2.2.4 allows unauthorized users to view and modify reactions on other users' forum topics due to insufficient authorization checks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NamelessMC 2.2.4 allows unauthorized users to view and modify reactions on other users' forum topics due to insufficient authorization checks.
Vulnerability
NamelessMC version 2.2.4 contains a vulnerability in modules/Forum/classes/ForumPostReactionContext.php where it fails to re-enforce topic-level view_other_topics authorization. This allows users who can only view their own topics to still interact with reactions on other users' topics within the same forum [1].
Exploitation
An attacker with a low-privileged user account can exploit this by attempting to access reactions or add reactions to posts within a topic they are not permitted to view. The attacker needs to be logged in with a session that has forum access but restricted topic viewing. The exploit involves sending requests to the /queries/reactions endpoint with a reactable_id corresponding to a post in a restricted topic, or a POST request to the same endpoint to add a reaction [1].
Impact
Successful exploitation allows unauthorized users to read reaction details on topics they are not allowed to view and to add reactions to posts within those topics. This bypasses the intended access controls for forum topics [1].
Mitigation
Version 2.2.5 of NamelessMC fixes this issue. Users should update to version 2.2.5 or later. No workarounds are disclosed in the available references [1].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <2.2.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The ForumPostReactionContext.php file does not re-enforce topic-level view_other_topics authorization when handling forum reactions."
Attack vector
An attacker with a low-privileged user account can exploit this vulnerability. The preconditions require a forum configured with restricted topic viewing (view=1, view_other_topics=0) for members. By sending specific requests to the reactions endpoint, an attacker can bypass the topic-level authorization checks. This allows them to read reaction details and add reactions to posts within topics they are not permitted to view [ref_id=1].
Affected code
The vulnerability resides in `modules/Forum/classes/ForumPostReactionContext.php`, specifically within the logic that handles forum reactions. The advisory indicates that the `ForumPostReactionContext::validateReactable()` method needs to incorporate topic-level authorization checks [ref_id=1].
What the fix does
The fix involves reusing the topic-level view_other_topics enforcement within the ForumPostReactionContext::validateReactable() method. This ensures that topic visibility is verified before any forum reactions are returned or modified, thereby closing the vulnerability [ref_id=1].
Preconditions
- authLow-privileged user member.
- configForum configured with view=1 and view_other_topics=0 for Members.
Reproduction
docker exec -w /data nameless-224-php-1 php dev/scripts/request_runner.php --uri='/queries/reactions?reactable_id=3&context=forum_post&tab=0' --session-id='mforum2' --session-json='{"2user":"memberhash1234567890abcdef","2token":"tokforum"}' docker exec -w /data nameless-224-php-1 php dev/scripts/request_runner.php --method=POST --uri='/queries/reactions' --session-id='mforum1' --session-json='{"2user":"memberhash1234567890abcdef","2token":"tokforum"}' --post-json='{"reactable_id":"3","reaction_id":"1","context":"forum_post","token":"tokforum"}' [ref_id=1]
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.