CVE-2026-40314
Description
NamelessMC 2.2.4 allows unauthenticated users to view reactions on private posts and authenticated users to add reactions to private or blocking posts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NamelessMC 2.2.4 allows unauthenticated users to view reactions on private posts and authenticated users to add reactions to private or blocking posts.
Vulnerability
In NamelessMC versions prior to 2.2.5, specifically version 2.2.4, the file core/classes/Misc/ProfilePostReactionContext.php fails to enforce blocked or private-profile visibility when checking for the existence of a wall post. Additionally, modules/Core/queries/reactions.php permits unauthenticated GET requests for reaction details. This allows unauthorized access to information related to reactions on private profile posts [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a GET request to modules/Core/queries/reactions.php with the appropriate reactable_id and context parameters, targeting a private profile post. This allows them to view reaction participants and timestamps for private posts. Authenticated low-privileged users can also add reactions to private or blocking profile posts [1].
Impact
Successful exploitation allows unauthenticated visitors to read the participants and timestamps of reactions on private profile posts. For authenticated low-privileged users, they can add reactions to posts that should be inaccessible due to privacy or blocking settings. This leads to unauthorized information disclosure and potential manipulation of content visibility [1].
Mitigation
NamelessMC version 2.2.5 addresses this issue by enforcing blocked/private-profile authorization in ProfilePostReactionContext::validateReactable() and applying visibility rules to reaction GET requests. It now returns a generic error for inaccessible profile resources instead of leaking participant information. The fix was released on or before 2026-06-02 [1].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.2.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The system fails to enforce profile visibility restrictions when retrieving reaction details."
Attack vector
Unauthenticated visitors can read reaction participants and timestamps for private profile posts by sending GET requests to `modules/Core/queries/reactions.php` with a `reactable_id` corresponding to a private post [ref_id=1]. Low-privileged authenticated users can also add reactions to private or blocking profile posts [ref_id=1].
Affected code
The vulnerability exists in `core/classes/Misc/ProfilePostReactionContext.php` and `modules/Core/queries/reactions.php` [ref_id=1].
What the fix does
Version 2.2.5 enforces blocked/private-profile authorization in `ProfilePostReactionContext::validateReactable()` and applies the same visibility rules to reaction GET requests. This prevents unauthorized users from accessing sensitive information or interacting with restricted content [ref_id=1].
Preconditions
- authFor unauthenticated reads: no authentication required. For authenticated writes: low-privileged user account.
- inputA private profile post with a known ID.
Reproduction
docker exec -w /data nameless-224-php-1 php dev/scripts/request_runner.php \ --uri='/queries/reactions?reactable_id=10&context=profile_post&tab=0'
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.