CVE-2026-7165: CWE-20 Improper input validation in Gaudire Assassin game
The vulnerability is present in the ‘/addJugador’ endpoint: * The 'keyJugador' and 'keyJugadorObjectiu' parameters allow the modification of other users’ information without requiring prior authorization validation. This could enable an authenticated attacker to alter any user’s ID and change their information. * The ‘punts’ and ‘numObjectiusEliminats’ fields allow arbitrary data to be added because user input is not properly validated. This makes it possible to obtain authentic prizes, awarded by city councils, by falsifying game scores. * In the ‘tokens’ field, administrative privileges can be self-assigned without server validation or prior authentication. This vulnerability could allow an authenticated attacker to grant themselves administrator permissions and thus escalate privileges. * Numeric fields allow the entry of extremely long values, which can cause the system to crash. Successful exploitation of this vulnerability could allow an authenticated attacker to launch a denial-of-service (DoS) attack, preventing created games from being playable. * The ‘urlImatge’ parameter allows server-side requests to arbitrary URLs, enabling the retrieval of users’ internal IP addresses, access to internal services, reading of local files, and unauthorized interaction with third-party APIs. An authenticated attacker could gain access to sensitive data.
AI Analysis
Technical Summary
This vulnerability in the Gaudire Assassin game's '/addJugador' endpoint involves multiple improper input validation flaws (CWE-20). The 'keyJugador' and 'keyJugadorObjectiu' parameters lack authorization checks, enabling modification of any user's data. The 'punts' and 'numObjectiusEliminats' fields accept arbitrary values, allowing score falsification. The 'tokens' field permits self-assignment of administrative privileges without validation, leading to privilege escalation. Numeric fields accept excessively long values, potentially causing system crashes and denial-of-service. The 'urlImatge' parameter enables server-side requests to arbitrary URLs, risking exposure of internal IP addresses, internal services, local files, and unauthorized third-party API interactions. No patch or official remediation is currently documented.
Potential Impact
An authenticated attacker can alter any user's identity and information, falsify game scores to illegitimately obtain prizes, escalate privileges to administrator level, cause denial-of-service by crashing the system with oversized inputs, and exploit server-side request forgery to access sensitive internal data and services. These combined issues severely compromise game integrity, user data confidentiality, and service availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the '/addJugador' endpoint to trusted users only, implement strict input validation and authorization checks on all parameters, and monitor for abnormal activity related to score changes and privilege escalations. Avoid exposing the vulnerable endpoint publicly and consider network-level controls to limit server-side request forgery risks.
CVE-2026-7165: CWE-20 Improper input validation in Gaudire Assassin game
Description
The vulnerability is present in the ‘/addJugador’ endpoint: * The 'keyJugador' and 'keyJugadorObjectiu' parameters allow the modification of other users’ information without requiring prior authorization validation. This could enable an authenticated attacker to alter any user’s ID and change their information. * The ‘punts’ and ‘numObjectiusEliminats’ fields allow arbitrary data to be added because user input is not properly validated. This makes it possible to obtain authentic prizes, awarded by city councils, by falsifying game scores. * In the ‘tokens’ field, administrative privileges can be self-assigned without server validation or prior authentication. This vulnerability could allow an authenticated attacker to grant themselves administrator permissions and thus escalate privileges. * Numeric fields allow the entry of extremely long values, which can cause the system to crash. Successful exploitation of this vulnerability could allow an authenticated attacker to launch a denial-of-service (DoS) attack, preventing created games from being playable. * The ‘urlImatge’ parameter allows server-side requests to arbitrary URLs, enabling the retrieval of users’ internal IP addresses, access to internal services, reading of local files, and unauthorized interaction with third-party APIs. An authenticated attacker could gain access to sensitive data.
CVSS v4.0
Score 9.4critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in the Gaudire Assassin game's '/addJugador' endpoint involves multiple improper input validation flaws (CWE-20). The 'keyJugador' and 'keyJugadorObjectiu' parameters lack authorization checks, enabling modification of any user's data. The 'punts' and 'numObjectiusEliminats' fields accept arbitrary values, allowing score falsification. The 'tokens' field permits self-assignment of administrative privileges without validation, leading to privilege escalation. Numeric fields accept excessively long values, potentially causing system crashes and denial-of-service. The 'urlImatge' parameter enables server-side requests to arbitrary URLs, risking exposure of internal IP addresses, internal services, local files, and unauthorized third-party API interactions. No patch or official remediation is currently documented.
Potential Impact
An authenticated attacker can alter any user's identity and information, falsify game scores to illegitimately obtain prizes, escalate privileges to administrator level, cause denial-of-service by crashing the system with oversized inputs, and exploit server-side request forgery to access sensitive internal data and services. These combined issues severely compromise game integrity, user data confidentiality, and service availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the '/addJugador' endpoint to trusted users only, implement strict input validation and authorization checks on all parameters, and monitor for abnormal activity related to score changes and privilege escalations. Avoid exposing the vulnerable endpoint publicly and consider network-level controls to limit server-side request forgery risks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- INCIBE
- Date Reserved
- 2026-04-27T07:25:26.958Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a393e8aeed863c81ee5cd7b
Added to database: 06/22/2026, 13:54:18 UTC
Last enriched: 06/22/2026, 14:09:25 UTC
Last updated: 06/23/2026, 02:08:10 UTC
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.