CVE-2026-28428 MEDIUM

CVE-2026-28428: Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions

Vendor Talishar
Product Talishar
Weakness CWE-287 · Improper authentication
Published March 6, 2026
Last update March 9, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions — including sending chat messages and submitting game inputs — by supplying an empty authKey parameter (authKey=). The server-side validation uses a loose comparison that accepts an empty string as a valid credential, while correctly rejecting non-empty but incorrect keys. This asymmetry means the authentication mechanism can be completely bypassed without knowing any valid token. This issue has been patched in commit a9c218e.

Key dates

02Disclosure timeline

March 6, 2026 CVE published
March 9, 2026 Record updated