CVE-2026-34460
NamelessMC: OAuth callback `state` is not validated, allowing login CSRF / session swapping
CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th
NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause a victim's browser to navigate to it, resulting in the victim's session being authenticated as the attacker-linked account (OAuth login CSRF / session swapping). This is patched in version 2.2.5.
| CWE | CWE-302 CWE-346 CWE-352 |
| Vendor | namelessmc |
| Product | nameless |
| Published | Jun 2, 2026 |
| Last Updated | Jun 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for namelessmc nameless
Be the first to know when new medium vulnerabilities affecting namelessmc nameless are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
NamelessMC / Nameless
< 2.2.5