How is CVE-2026-7166 exploited?

Network reachability (required): The attacker must reach the application's API over the network; the CVSS vector specifies AV:N, meaning the service must be network-accessible. Authentication (not-required): No credentials are needed; PR:N indicates the API endpoint is reachable and exploitable without any account or session token. Victim interaction (not-required): UI:N means the attacker does not need to trick or involve any user; the data is directly accessible without any victim action. Attack complexity (info): AC:L indicates the exploit is straightforward and condition-free, requiring no special timing, race conditions, or environmental setup.

What is the impact of CVE-2026-7166?

The attacker reads email addresses and phone numbers from the exposed API fields ('email' and 'telefon') for all registered users. Records belonging to minors are accessible, exposing personally identifiable information for a legally protected population. Municipal user data stored in the local database is readable, potentially exposing government-affiliated contact details and account information. Scope impact is high on the system component (SC:H), meaning data from components beyond the directly attacked service is also exposed.

Back to search

CRITICALCVE-2026-7166Published 2026-06-22Modified 2026-06-22CNA INCIBE

CVE-2026-7166: Multiple vulnerabilities in the Assassin game by Gaudire

Vulnerability involving the exposure of sensitive data provided without adequate protection. The API exposes email and phone number data from the ‘email’ and ‘telefon’ fields. This vulnerability is also present in the local database, as it contains accessible sensitive information such as data on minors and municipal users. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to gain access to sensitive information and data.

CVSS v4.0: 9.2
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a sensitive data exposure vulnerability in the Assassin game by Gaudire. The API lacks access controls, allowing an unauthenticated attacker to reach it over the network with no prior credentials required. Successful exploitation gives the attacker direct read access to email addresses, phone numbers, and records belonging to minors and municipal users stored in the application database. No fix version has been published; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-7166 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including INCIBE) within minutes of publication and matched against all customer images, including custom-built images that bundle the Assassin game or its dependencies.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 rating of 9.2 (Critical) and weighting that score against each customer environment's compliance policy. Triage routing then directs the finding to the appropriate team inbox within the customer organization based on configured severity thresholds and ownership rules.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is released. In the interim, customers can apply compensating controls through HarborGuard's network-policy recommendations to restrict access to the affected API surface.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the application's API over the network; the CVSS vector specifies AV:N, meaning the service must be network-accessible.
AuthenticationNot required
No credentials are needed; PR:N indicates the API endpoint is reachable and exploitable without any account or session token.
Victim interactionNot required
UI:N means the attacker does not need to trick or involve any user; the data is directly accessible without any victim action.
Attack complexityDetail
AC:L indicates the exploit is straightforward and condition-free, requiring no special timing, race conditions, or environmental setup.

Blast Radius

The attacker reads email addresses and phone numbers from the exposed API fields ('email' and 'telefon') for all registered users.
Records belonging to minors are accessible, exposing personally identifiable information for a legally protected population.
Municipal user data stored in the local database is readable, potentially exposing government-affiliated contact details and account information.
Scope impact is high on the system component (SC:H), meaning data from components beyond the directly attacked service is also exposed.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-7166 is active against any customer image containing the Gaudire Assassin game, scored at Critical (9.2) and routed according to each environment's compliance policy. Because no upstream patch exists yet, HarborGuard monitors the INCIBE advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is published. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. While no fix is available, HarborGuard can surface network-policy isolation recommendations to limit inbound access to the affected API, reducing the exposure window for unauthenticated callers. Customers with strict compliance policies around data involving minors should treat this as a priority finding given the nature of the exposed records.

See how HarborGuard automates this

Affected packages

Gaudire / Assassin game
last version

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

References

incibe.es

Metrics

Get notified