CVE-2026-21854

Critical

Published: 07 January 2026

Published

07 January 2026

Modified

03 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0066 71.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, an authentication bypass vulnerability in the login endpoint allows any unauthenticated user to gain full admin access to the Tarkov Data Manager…

admin panel by exploiting a JavaScript prototype property access vulnerability, combined with loose equality type coercion. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring identification, reporting, and timely patching of the authentication bypass flaw as fixed in the January 2025 commits.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Enforces robust identification and authentication for organizational users, preventing bypasses via JavaScript prototype pollution and loose type coercion in the login endpoint.

AC-3 Access Enforcement good match

prevent

Requires enforcement of approved authorizations for access to the admin panel, blocking unauthorized full admin privileges gained through the authentication bypass.

Security SummaryAI

CVE-2026-21854 is an authentication bypass vulnerability in the login endpoint of the Tarkov Data Manager, a tool for managing Tarkov item data. Versions prior to the fixes applied on 02 January 2025 are affected, where attackers can exploit a JavaScript prototype property access issue combined with loose equality type coercion to bypass authentication entirely. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs-287 (Improper Authentication), CWE-843 (Access of Resource Using Incompatible Type), and CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes).

Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants full admin access to the Tarkov Data Manager admin panel, enabling high confidentiality, integrity, and availability impacts such as data modification, deletion, or exfiltration.

Mitigation involves updating to the patched version, as a series of fix commits were applied on 02 January 2025. Detailed patch information is available in the fixing commit at https://github.com/the-hideout/tarkov-data-manager/commit/f188f0abf766cefe3f1b7b4fc6fe9dad3736174a and the GitHub security advisory at https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-r8w6-9xwg-6h73.

Details

CWE(s): CWE-287 CWE-843 CWE-1321

Affected Products

tarkov

tarkov data manager

≤ 2025-01-02

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in a network-accessible login endpoint of a public-facing web application, directly enabling exploitation of a public-facing application for unauthorized admin access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/the-hideout/tarkov-data-manager/commit/f188f0abf766cefe3f1b7b4fc6fe9dad3736174a
Patch · security-advisories@github.com
https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-r8w6-9xwg-6h73
Vendor Advisory · security-advisories@github.com