Low severity2.4NVD Advisory· Published May 11, 2026· Updated May 13, 2026
CVE-2026-42188
CVE-2026-42188
Description
Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Prior to 2.9.3, a server-side request forgery (SSRF) vulnerability exists in Geyser’s handling of Bedrock player head texture data. By supplying a crafted Base64-encoded skin texture URL via the /give command, an attacker can cause the Minecraft server to issue arbitrary HTTP GET requests to attacker-controlled or internal endpoints. This occurs server-side, without proper URL validation, and can be triggered by a Bedrock client. This vulnerability is fixed in 2.9.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.geysermc.geyser:coreMaven | < 2.9.3 | 2.9.3 |
Affected products
1Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.