CVE-2026-34460 PUBLISHED

NamelessMC: OAuth callback `state` is not validated, allowing login CSRF / session swapping

Assigner: GitHub_M
Reserved: 27.03.2026 Published: 02.06.2026 Updated: 02.06.2026

NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause a victim's browser to navigate to it, resulting in the victim's session being authenticated as the attacker-linked account (OAuth login CSRF / session swapping). This is patched in version 2.2.5.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS Score: 5.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	NamelessMC
Product	Nameless
Versions	Version < 2.2.5 is affected

References

https://github.com/NamelessMC/Nameless/security/advisories/GHSA-pmpw-2xvh-5xj6

Problem Types

CWE-302: Authentication Bypass by Assumed-Immutable Data CWE
CWE-346: Origin Validation Error CWE
CWE-352: Cross-Site Request Forgery (CSRF) CWE