CVE-2026-21854 PUBLISHED

Tarkov Data Manager Authentication Bypass vulnerability

Assigner: GitHub_M
Reserved: 05.01.2026 Published: 07.01.2026 Updated: 07.01.2026

The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, an authentication bypass vulnerability in the login endpoint allows any unauthenticated user to gain full admin access to the Tarkov Data Manager admin panel by exploiting a JavaScript prototype property access vulnerability, combined with loose equality type coercion. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	the-hideout
Product	tarkov-data-manager
Versions	Version <= 2.0.0 is affected

References

Problem Types

CWE-287: Improper Authentication CWE
CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') CWE
CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') CWE