Primary

Context

Venueless Chat Exfiltration Vulnerability for Users with Update World Permission

Vulnerability

A vulnerability allows users with the 'update world' permission in any Venueless world to exfiltrate chat messages from direct messages or channels in other worlds on the same server. This issue arises from a bug in the reporting feature. Exploitation is limited, as the attacker must know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages.

Impact

Exploitation of this vulnerability allows for unauthorized access to chat contents, including direct messages and channel messages, from other worlds on the same server.

Remediation

The vulnerability is fixed in version e20083a and later. There are no specific workarounds, but it is advised not to grant privileged permissions to users.

Added: Mar 27, 2026, 1:19 PM

Updated: Mar 27, 2026, 1:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.4

remediation

0.0

relevance

4.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.4

remediation

0.0

relevance

4.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Venueless Chat Exfiltration Vulnerability for Users with Update World Permission

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating