CVE-2026-21854
Published: 07 January 2026
Summary
CVE-2026-21854 is a critical-severity Improper Authentication (CWE-287) vulnerability in Tarkov Tarkov Data Manager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring identification, reporting, and timely patching of the authentication bypass flaw as fixed in the January 2025 commits.
Enforces robust identification and authentication for organizational users, preventing bypasses via JavaScript prototype pollution and loose type coercion in the login endpoint.
Requires enforcement of approved authorizations for access to the admin panel, blocking unauthorized full admin privileges gained through the authentication bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a network-accessible login endpoint of a public-facing web application, directly enabling exploitation of a public-facing application for unauthorized admin access.
NVD Description
The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, an authentication bypass vulnerability in the login endpoint allows any unauthenticated user to gain full admin access to the Tarkov Data Manager…
more
admin panel by exploiting a JavaScript prototype property access vulnerability, combined with loose equality type coercion. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities.
Deeper analysisAI
CVE-2026-21854 is an authentication bypass vulnerability in the login endpoint of the Tarkov Data Manager, a tool for managing Tarkov item data. Versions prior to the fixes applied on 02 January 2025 are affected, where attackers can exploit a JavaScript prototype property access issue combined with loose equality type coercion to bypass authentication entirely. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs-287 (Improper Authentication), CWE-843 (Access of Resource Using Incompatible Type), and CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes).
Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants full admin access to the Tarkov Data Manager admin panel, enabling high confidentiality, integrity, and availability impacts such as data modification, deletion, or exfiltration.
Mitigation involves updating to the patched version, as a series of fix commits were applied on 02 January 2025. Detailed patch information is available in the fixing commit at https://github.com/the-hideout/tarkov-data-manager/commit/f188f0abf766cefe3f1b7b4fc6fe9dad3736174a and the GitHub security advisory at https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-r8w6-9xwg-6h73.
Details
- CWE(s)