HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-7165Published Modified CNA INCIBE

CVE-2026-7165: Multiple vulnerabilities in the Assassin game by Gaudire

The vulnerability is present in the ‘/addJugador’ endpoint: * The 'keyJugador' and 'keyJugadorObjectiu' parameters allow the modification of other users’ information without requiring prior authorization validation. This could enable an authenticated attacker to alter any user’s ID and change their information. * The ‘punts’ and ‘numObjectiusEliminats’ fields allow arbitrary data to be added because user input is not properly validated. This makes it possible to obtain authentic prizes, awarded by city councils, by falsifying game scores. * In the ‘tokens’ field, administrative privileges can be self-assigned without server validation or prior authentication. This vulnerability could allow an authenticated attacker to grant themselves administrator permissions and thus escalate privileges. * Numeric fields allow the entry of extremely long values, which can cause the system to crash. Successful exploitation of this vulnerability could allow an authenticated attacker to launch a denial-of-service (DoS) attack, preventing created games from being playable. * The ‘urlImatge’ parameter allows server-side requests to arbitrary URLs, enabling the retrieval of users’ internal IP addresses, access to internal services, reading of local files, and unauthorized interaction with third-party APIs. An authenticated attacker could gain access to sensitive data.

Metrics

CVSS v4.0
9.4
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Multiple critical vulnerabilities exist in the '/addJugador' endpoint of the Assassin game by Gaudire, spanning broken access control, privilege escalation, input validation failures, and server-side request forgery (SSRF). The flaws are reachable over the network and require only a low-privilege authenticated account, meaning any registered player can trigger them without additional prerequisites. Successful exploitation lets an attacker read internal infrastructure data, falsify game scores to claim real-world prizes, self-assign administrator privileges, tamper with other users' records, and crash active game sessions. No fix version has been published; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-7165 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle the Gaudire Assassin game. Any image found running the affected last-known version is flagged immediately.

Available
Triage

Triage is available with the CVSS v4.0 score of 9.4 (Critical) applied automatically; per-environment compliance policy weighting can raise or lower the effective priority before the finding is routed to the appropriate team inbox within each customer organization.

Available
Patch

Because no upstream fix version exists yet, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer publishes a remediated release. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The '/addJugador' endpoint is exposed over the network, so the attacker must be able to reach the service across the internet or an internal network.

  • AuthenticationRequired

    A low-privilege account (any registered player) is sufficient; no administrative credentials are needed to trigger any of the described vulnerabilities.

  • Victim interactionNot required

    The attacker sends crafted requests directly to the endpoint; no action by another user or administrator is needed.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: no race conditions, special memory layout, or environmental timing are required to succeed.

Blast Radius

  • Reads internal IP addresses, local files, and responses from internal services or third-party APIs via the SSRF vulnerability in the 'urlImatge' parameter.
  • Modifies any user's game records and identity fields without that user's consent by exploiting the missing authorization check on 'keyJugador' and 'keyJugadorObjectiu'.
  • Self-assigns administrator privileges by writing to the 'tokens' field, gaining full control over game configuration and other players' accounts.
  • Crashes active game sessions by submitting extremely long numeric values, making all created games unplayable for the duration of the attack.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists, the platform monitors the INCIBE advisory and the Gaudire project on every ingest cycle, ready to make a patched-image rebuild available the moment a fix is published. For customers who opt into auto-remediation, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads. In the interim, compensating controls are worth considering: network policy rules that restrict access to the '/addJugador' endpoint to trusted source addresses only, egress filtering to block outbound requests from the application container to internal RFC-1918 ranges and metadata services (which limits SSRF reachability), and input-length limits enforced at the ingress or WAF layer to reduce denial-of-service exposure. Where compliance policy permits, HarborGuard can surface these control gaps as policy findings alongside the CVE finding itself.

See how HarborGuard automates this
Affected packages
  • Gaudire / Assassin game
    last version
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References