CVE-2026-21854 CRITICAL

CVE-2026-21854: Tarkov Data Manager Authentication Bypass vulnerability

Vendor The-Hideout
Product tarkov-data-manager
Weakness CWE-287 · Improper authentication
Published January 7, 2026
Last update January 7, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, an authentication bypass vulnerability in the login endpoint allows any unauthenticated user to gain full admin access to the Tarkov Data Manager admin panel by exploiting a JavaScript prototype property access vulnerability, combined with loose equality type coercion. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities.

Key dates

02Disclosure timeline

January 7, 2026 CVE published
January 7, 2026 Record updated