CVE-2026-32736 in wiki
Summary
by MITRE • 03/19/2026
The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. An Insecure Direct Object Reference (IDOR) vulnerability in versions of the wiki prior to 1.0.0 exposes mod authors' personal information - including full names and email addresses - to any authenticated user who visits a mod page. Any user who creates an account can access sensitive author details by simply navigating to a mod's page via its slug. Version 1.0.0 fixes the issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/23/2026
The Hytale Modding Wiki represents a collaborative platform where mod authors share documentation and resources for the Hytale gaming community. This service facilitates knowledge exchange among developers and enthusiasts who create modifications for the game. The platform operates on a user authentication model where registered members can access various features including viewing mod pages and documentation. The vulnerability under analysis affects the authorization mechanisms that govern access to sensitive author information within this ecosystem.
The technical flaw manifests as an Insecure Direct Object Reference vulnerability classified under CWE-639, which occurs when an application provides direct access to objects based on user-supplied input without proper authorization checks. In this case, the wiki's implementation allows any authenticated user to access mod author personal information simply by navigating to a specific mod page using its URL slug. The system fails to verify whether the requesting user has legitimate authorization to view the referenced object's sensitive metadata, creating an access control bypass. The vulnerability exists because the application directly maps user input to object references without implementing proper access controls or privilege validation.
The operational impact of this vulnerability extends beyond simple information disclosure, as it compromises the privacy and security of mod authors within the Hytale community. Any authenticated user can exploit this flaw to harvest personal information including full names and email addresses of other mod authors, potentially enabling social engineering attacks, targeted phishing campaigns, or identity theft. The exposure affects not just individual privacy but also the broader community trust in the platform's security measures. This vulnerability undermines the fundamental security principle of least privilege, where users should only access information necessary for their specific role or function. The issue becomes particularly concerning given that mod authors may be individuals who wish to maintain a level of anonymity or who could become targets due to their involvement in the gaming modding community.
The vulnerability was successfully addressed in version 1.0.0 through proper access control implementation that validates user permissions before exposing sensitive author information. Security practitioners should implement the principle of least privilege by ensuring that all object references undergo proper authorization checks before sensitive data is returned. The fix should include validating that the requesting user has appropriate permissions to view the specific mod's author information, potentially through role-based access control mechanisms or by implementing proper object-level access controls. Organizations should also consider implementing logging and monitoring for unauthorized access attempts to detect potential exploitation of similar vulnerabilities. This vulnerability aligns with attack patterns documented in the MITRE ATT&CK framework under the privilege escalation and credential access domains, where adversaries seek to gain unauthorized access to sensitive information through poorly implemented access controls. The remediation process should include thorough code review of all object reference handling mechanisms and implementation of comprehensive access control testing procedures to prevent similar issues in future releases.