CVE-2026-40571
Description
NamelessMC 2.2.4 allows authenticated users to react to private or blocked profile posts due to insufficient authorization checks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NamelessMC 2.2.4 allows authenticated users to react to private or blocked profile posts due to insufficient authorization checks.
Vulnerability
In NamelessMC version 2.2.4, the core/classes/Misc/ProfilePostReactionContext.php file fails to properly enforce blocked or private-profile visibility when adding reactions to wall posts. It only verifies the existence of the post, not the visibility settings [1].
Exploitation
An authenticated, low-privileged user can exploit this vulnerability by targeting a private or blocked profile post. The attacker needs a valid session and can then send a POST request to the /queries/reactions endpoint with the reactable_id of the private post and context set to profile_post [1].
Impact
Successful exploitation allows an attacker to add reactions to private or blocked profile posts, bypassing intended privacy controls. This could lead to unwanted engagement or information leakage about the participants involved in the reaction [1].
Mitigation
NamelessMC version 2.2.5 includes a patch that enforces blocked/private-profile authorization in ProfilePostReactionContext::validateReactable() and returns a generic error for inaccessible profile resources. Users should update to version 2.2.5 or later. No workarounds are specified [1].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.2.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The profile post reaction context does not properly enforce visibility restrictions for private or blocked profiles."
Attack vector
Authenticated low-privileged users can add reactions to private or blocking profile posts. The vulnerability exists because the code only verifies that the wall post exists and does not enforce blocked or private-profile visibility. This allows unauthorized users to interact with posts they should not be able to see or interact with. The advisory provides a Proof of Concept demonstrating a low-privileged user adding a reaction to a private post [ref_id=1].
Affected code
The vulnerability resides in `core/classes/Misc/ProfilePostReactionContext.php` which fails to properly validate user permissions before allowing reactions to profile posts [ref_id=1].
What the fix does
The patch enforces blocked/private-profile authorization within the `ProfilePostReactionContext::validateReactable()` function. It now returns a generic error message for inaccessible profile resources, preventing the leakage of participant information and ensuring that only authorized users can add reactions to profile posts [ref_id=1].
Preconditions
- authThe attacker must be an authenticated user with low privileges.
- configThe target user must have a private profile.
- inputThe target post must be a private wall post.
Reproduction
docker exec -w /data nameless-224-php-1 php dev/scripts/request_runner.php \ --method=POST \ --uri='/queries/reactions' \ --session-id='mreact1' \ --session-json='{"2user":"memberhash1234567890abcdef","2token":"tokreact"}' \ --post-json='{"reactable_id":"10","reaction_id":"1","context":"profile_post","token":"tokreact"}'
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.