Platform
javascript
Component
tarkov-data-manager
Fixed in
2.0.1
CVE-2026-21854 describes an authentication bypass vulnerability affecting Tarkov Data Manager versions 2.0.0 through 2.0.0. This flaw allows unauthenticated users to gain full administrative access to the admin panel. The vulnerability stems from a JavaScript prototype property access issue combined with loose equality type coercion. A fix was released on January 2, 2025, in version 2.0.1.
Successful exploitation of CVE-2026-21854 grants an attacker complete control over the Tarkov Data Manager admin panel. This includes the ability to modify item data, user accounts, and potentially other configurations. The attacker could manipulate game assets, inject malicious content, or compromise the integrity of the entire data management system. Given the tool's role in managing Tarkov item data, this vulnerability poses a significant risk to the game's stability and player experience. The ease of exploitation, requiring no authentication, significantly increases the potential for widespread abuse.
CVE-2026-21854 was publicly disclosed on January 7, 2026. While no public proof-of-concept (PoC) has been widely reported, the ease of exploitation suggests a high probability of active exploitation. The vulnerability's severity (CVSS 9.8) and the potential impact warrant immediate attention. It has not been added to the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.66% (71% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-21854 is to immediately upgrade Tarkov Data Manager to version 2.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing strict input validation on the login endpoint to prevent prototype property access. While not a complete fix, this can reduce the attack surface. Monitor the login endpoint for suspicious activity, such as repeated failed login attempts from unusual IP addresses. After upgrading, confirm the fix by attempting to access the admin panel without authentication – access should be denied.
Update Tarkov Data Manager to a version later than January 2, 2025. This will resolve the authentication bypass vulnerability. See the security announcement on GitHub for more details.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-21854 is a critical vulnerability in Tarkov Data Manager versions 2.0.0-2.0.0 that allows unauthenticated users to gain full admin access via a JavaScript prototype property access flaw.
Yes, if you are using Tarkov Data Manager version 2.0.0, you are affected by this vulnerability and should upgrade immediately.
Upgrade to version 2.0.1 or later to resolve this vulnerability. As a temporary workaround, implement strict input validation on the login endpoint.
While no widespread exploitation has been publicly confirmed, the vulnerability's ease of exploitation suggests a high probability of active exploitation.
Refer to the official Tarkov Data Manager documentation and release notes for details on this vulnerability and the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.