External risk intelligence

Assassin Game Gaudire Endpoint Vulnerabilities Allow Privilege Escalation and Data Exposure.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-7165

The vulnerability resides in a web application endpoint (/addJugador) used for game management. Such web-based game services are commonly deployed as internet-facing applications, making the endpoint reachable by users over the public internet in standard deployment patterns.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory describes vulnerabilities in a web application's game management endpoint that could allow an authenticated attacker to modify user information, falsify game scores to claim prizes, gain administrative privileges, cause denial-of-service, and access sensitive internal data. The main concern is confirming relevance and exposure.

  • Unauthorized data alteration and prize claims.
  • Critical flaws risk admin access and data breaches.
  • Confirm if our systems are affected by these risks.

Attack Path

How an attacker could exploit the issue

An attacker with authenticated access can leverage vulnerabilities in the `/addJugador` endpoint to compromise user data and game integrity. By manipulating specific parameters, an attacker can alter user information, falsify game scores to claim prizes, or assign themselves administrative privileges. Additionally, specially crafted numeric inputs can lead to a denial-of-service attack, rendering games unplayable. The `urlImatge` parameter also allows for the retrieval of sensitive internal information.

  • Entry condition: Authenticated user.
  • Trigger point: Manipulating game score parameters.
  • Resulting risk: Unauthorized access and game disruption.

Live Threat

Current exploitation, exposure, and threat context

An authenticated attacker could modify user information, falsify game scores to obtain prizes, assign themselves administrator privileges, cause denial-of-service by crashing the system with excessively long inputs, or access sensitive internal data, including user IP addresses and local files, by exploiting vulnerabilities in the '/addJugador' endpoint.

  • User data and game integrity are at risk.
  • Unsanctioned modifications to parameters can occur.
  • Unauthorized access, data exposure, and service disruption are possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects an application endpoint that allows modification of user information, falsification of game scores, self-assignment of administrative privileges, denial-of-service, and retrieval of sensitive data. Application owners and platform teams are likely responsible for managing this service, with potential involvement from security or vendor management teams if it's a third-party product. The first practical step is to identify all instances of this application, determine their exposure and business criticality, and then plan remediation based on risk.

  • Application owners should manage the issue.
  • Verify application reachability and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Assassin Game Gaudire application?

Assassin Game Gaudire is a web-based platform, often utilized for organized urban-style interactive events. Its infrastructure includes a backend endpoint designed to manage participant data, track game progression, and handle scoring metrics, which are frequently linked to real-world rewards provided by municipal entities.

What weakness class does CVE-2026-7165 represent?

CVE-2026-7165 is primarily categorized under CWE-20, which is Improper Input Validation. In plain terms, this means the software does not sufficiently check or sanitize the information it receives from users before processing it. This lack of verification allows attackers to submit unexpected or malicious data that the system treats as legitimate, leading to the various security failures described.

How can an attacker trigger these vulnerabilities?

An attacker must have an authenticated user account to interact with the /addJugador endpoint. Once logged in, they can manipulate specific parameters—such as user keys, game scores, or URL inputs—to trigger unintended behavior. Simply browsing the site or sending unauthenticated requests will not activate these specific flaws, as they rely on the application accepting processed inputs from a recognized session.

Is my instance of this software at risk?

According to Halo Surface Signal, this software is often deployed as an internet-facing service, meaning the vulnerable endpoint may be reachable by anyone with a web connection. If your instance is accessible from the public internet, the potential for unauthorized interaction is higher. You should assess whether your specific deployment is exposed externally or restricted to internal users.

How should I respond to this vulnerability?

Your first step is to perform an inventory of all instances of the application within your environment. Once identified, evaluate the business criticality of each instance and its current network reachability. Coordinate with your application owners or platform teams to prioritize remediation, focusing on limiting access to the affected endpoint until the necessary security updates or configuration changes are applied.

References