プラットフォーム
javascript
コンポーネント
tarkov-data-manager
修正版
2.0.1
CVE-2026-21854 describes an authentication bypass vulnerability affecting Tarkov Data Manager versions 2.0.0 through 2.0.0. This flaw allows unauthenticated users to gain full administrative access to the admin panel. The vulnerability stems from a JavaScript prototype property access issue combined with loose equality type coercion. A fix was released on January 2, 2025, in version 2.0.1.
Successful exploitation of CVE-2026-21854 grants an attacker complete control over the Tarkov Data Manager admin panel. This includes the ability to modify item data, user accounts, and potentially other configurations. The attacker could manipulate game assets, inject malicious content, or compromise the integrity of the entire data management system. Given the tool's role in managing Tarkov item data, this vulnerability poses a significant risk to the game's stability and player experience. The ease of exploitation, requiring no authentication, significantly increases the potential for widespread abuse.
CVE-2026-21854 was publicly disclosed on January 7, 2026. While no public proof-of-concept (PoC) has been widely reported, the ease of exploitation suggests a high probability of active exploitation. The vulnerability's severity (CVSS 9.8) and the potential impact warrant immediate attention. It has not been added to the CISA KEV catalog as of this writing.
Administrators and users of the Tarkov Data Manager are at risk. Specifically, deployments using older versions (2.0.0) are vulnerable. Shared hosting environments where multiple users share the same instance of the Tarkov Data Manager are particularly susceptible due to the ease of exploitation.
• javascript / web:
// Check for prototype pollution attempts in login requests
// Look for properties like '__proto__' or 'constructor' in POST data• generic web:
curl -I <tarkov_data_manager_login_endpoint> | grep -i 'WWW-Authenticate'
# Expect no authentication headers if unauthenticated access is blockedpatch
disclosure
エクスプロイト状況
EPSS
0.66% (71% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-21854 is to immediately upgrade Tarkov Data Manager to version 2.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing strict input validation on the login endpoint to prevent prototype property access. While not a complete fix, this can reduce the attack surface. Monitor the login endpoint for suspicious activity, such as repeated failed login attempts from unusual IP addresses. After upgrading, confirm the fix by attempting to access the admin panel without authentication – access should be denied.
Actualice Tarkov Data Manager a una versión posterior a la del 2 de enero de 2025. Esto solucionará la vulnerabilidad de omisión de autenticación. Consulte el anuncio de seguridad en GitHub para obtener más detalles.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-21854 is a critical vulnerability in Tarkov Data Manager versions 2.0.0-2.0.0 that allows unauthenticated users to gain full admin access via a JavaScript prototype property access flaw.
Yes, if you are using Tarkov Data Manager version 2.0.0, you are affected by this vulnerability and should upgrade immediately.
Upgrade to version 2.0.1 or later to resolve this vulnerability. As a temporary workaround, implement strict input validation on the login endpoint.
While no widespread exploitation has been publicly confirmed, the vulnerability's ease of exploitation suggests a high probability of active exploitation.
Refer to the official Tarkov Data Manager documentation and release notes for details on this vulnerability and the fix.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。