CVE-2026-42188
Geyser: Server-Side Request Forgery (SSRF) via Player Head Texture URL
CVSS Score
2.4
EPSS Score
0.0%
EPSS Percentile
0th
Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Prior to 2.9.3, a server-side request forgery (SSRF) vulnerability exists in Geyserβs handling of Bedrock player head texture data. By supplying a crafted Base64-encoded skin texture URL via the /give command, an attacker can cause the Minecraft server to issue arbitrary HTTP GET requests to attacker-controlled or internal endpoints. This occurs server-side, without proper URL validation, and can be triggered by a Bedrock client. This vulnerability is fixed in 2.9.3.
| CWE | CWE-918 |
| Vendor | geysermc |
| Product | geyser |
| Published | May 11, 2026 |
| Last Updated | May 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for geysermc geyser
Be the first to know when new low vulnerabilities affecting geysermc geyser are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
GeyserMC / Geyser
< 2.9.3