the-hideout tarkov-data-manager up to 2.0.0 improper authentication
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 8.4 | $0-$5k | 0.00 |
Summary
A vulnerability marked as critical has been reported in the-hideout tarkov-data-manager up to 2.0.0. The affected element is an unknown function. The manipulation leads to improper authentication. This vulnerability is uniquely identified as CVE-2026-21854. The attack is possible to be carried out remotely. No exploit exists. Applying a patch is the recommended action to fix this issue.
Details
A vulnerability was found in the-hideout tarkov-data-manager up to 2.0.0 and classified as critical. This issue affects an unknown code. The manipulation with an unknown input leads to a improper authentication vulnerability. Using CWE to declare the problem leads to CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, an authentication bypass vulnerability in the login endpoint allows any unauthenticated user to gain full admin access to the Tarkov Data Manager admin panel by exploiting a JavaScript prototype property access vulnerability, combined with loose equality type coercion. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities.
The advisory is shared at github.com. The identification of this vulnerability is CVE-2026-21854 since 01/05/2026. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available.
Applying the patch f188f0abf766cefe3f1b7b4fc6fe9dad3736174a is able to eliminate this problem. The bugfix is ready for download at github.com.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Vendor
Name
Version
License
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.5VulDB Meta Temp Score: 8.4
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 9.8
CNA Vector (GitHub_M): 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Improper authenticationCWE: CWE-287
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔒
Patch: f188f0abf766cefe3f1b7b4fc6fe9dad3736174a
Timeline
01/05/2026 CVE reserved01/07/2026 Advisory disclosed
01/07/2026 VulDB entry created
01/07/2026 VulDB entry last update
Sources
Product: github.comAdvisory: GHSA-r8w6-9xwg-6h73
Status: Confirmed
CVE: CVE-2026-21854 (🔒)
GCVE (CVE): GCVE-0-2026-21854
GCVE (VulDB): GCVE-100-339917
Entry
Created: 01/07/2026 22:14Changes: 01/07/2026 22:14 (65)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.