How is CVE-2026-33398 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the NamelessMC web service via HTTP/HTTPS. Authentication (required): Any low-privilege registered account is sufficient; the endpoint checks only for a valid login session, not for any elevated role. Victim interaction (not-required): No victim action is needed; the attacker sends requests directly to the endpoint without involving another user. Attack complexity (info): Exploitation is reliable and condition-free; the attacker simply increments post IDs in requests, with no race condition or environmental dependency required.

What is the impact of CVE-2026-33398?

The attacker reads the full text content of posts in hidden, private, or staff-only forums that are intentionally restricted from their account. Sequential enumeration of post IDs allows bulk harvesting of restricted content across multiple forums and topics in a single session. Sensitive information stored in staff forums, such as moderation decisions, ban reasons, or internal server administration discussions, is exposed to any registered user.

Back to search

HIGHCVE-2026-33398Published 2026-06-02Modified 2026-06-02CNA GitHub_M

CVE-2026-33398: Authenticated users can read hidden forum posts through `/forum/get_quotes`

NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/pages/forum/get_quotes.php` only checks whether the caller is logged in, then reads a post by attacker-controlled `post` ID and returns its content. The backend helper in `modules/Forum/classes/Forum.php` does not enforce forum or topic ACLs. In contrast, the normal topic page in `modules/Forum/pages/forum/view_topic.php` enforces forum visibility and `view_other_topics`. Any low-privileged authenticated user can enumerate post IDs and read content from hidden, private, or staff-only forums. Version 2.2.5 fixes the issue.

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authorization bypass (broken access control) in NamelessMC, the open-source website platform for Minecraft server communities. An attacker who holds any valid user account can send crafted requests to the `/forum/get_quotes` endpoint, supplying arbitrary post IDs to retrieve content from hidden, private, or staff-only forums that they should not have access to. Successful exploitation gives the attacker read access to restricted forum posts without needing any elevated permissions. A patched-image rebuild at version 2.2.5 is available on HarborGuard for environments running the affected 2.2.4 image.

HarborGuard Coverage

Detection

Detection of CVE-2026-33398 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle NamelessMC 2.2.4, in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard scores this CVE at 7.1 HIGH using the CVSS v4.0 vector and is capable of weighting that score against each customer environment's compliance policy to surface it at the correct priority. Triage routing is available to direct findings to the right team inbox within each customer organization.

Available

Patch

Because version 2.2.5 is available upstream, HarborGuard can produce a patched-image rebuild at that version for any environment found running the affected 2.2.4 image. For customers who opt into auto-remediation, the rebuild is followed by an automated regression-test run and a pull request opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the NamelessMC web service via HTTP/HTTPS.
AuthenticationRequired
Any low-privilege registered account is sufficient; the endpoint checks only for a valid login session, not for any elevated role.
Victim interactionNot required
No victim action is needed; the attacker sends requests directly to the endpoint without involving another user.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker simply increments post IDs in requests, with no race condition or environmental dependency required.

Blast Radius

The attacker reads the full text content of posts in hidden, private, or staff-only forums that are intentionally restricted from their account.
Sequential enumeration of post IDs allows bulk harvesting of restricted content across multiple forums and topics in a single session.
Sensitive information stored in staff forums, such as moderation decisions, ban reasons, or internal server administration discussions, is exposed to any registered user.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-33398 is active across all scanned environments, matching images that bundle NamelessMC 2.2.4 against the published advisory. A patched-image rebuild at version 2.2.5 becomes available as soon as a matching image is identified in a customer registry or pipeline. For customers who opt into auto-remediation, HarborGuard initiates a rebuild, runs regression tests against it, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled, the finding is surfaced in the HarborGuard dashboard with the fix version noted and severity-weighted against the environment's compliance policy for manual review and action.

See how HarborGuard automates this

Affected packages

NamelessMC / Nameless
= 2.2.4

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

https://github.com/NamelessMC/Nameless/security/advisories/GHSA-2r6x-cv4f-h8fx

Metrics

Get notified