CVE-2026-30760 SB-MaterialAdmin CVE debrief

Who should care

Organizations running SourceBans Material Admin web panels for Source engine game server administration should prioritize patching. This vulnerability poses significant risk as it could allow attackers to escalate privileges, compromise administrator accounts, or disrupt game server operations. Web application security teams and game server administrators are the primary stakeholders.

Technical summary

SourceBans Material Admin versions prior to 1.1.6 contain an authorization bypass vulnerability in XAJAX endpoints. The application fails to properly validate user permissions when processing XAJAX requests, allowing unauthenticated or low-privileged attackers to craft malicious XAJAX calls that modify arbitrary user data. This includes potentially changing user permissions, passwords, or other sensitive account information. The vulnerability stems from missing or inadequate access control checks in the XAJAX request handlers.

Defensive priority

high

Recommended defensive actions

• Upgrade SourceBans Material Admin to version 1.1.6 or later (commit 3ecd95e)
• Review and restrict access to XAJAX endpoints in the web application
• Implement proper authorization checks on all XAJAX handler functions
• Audit user data modification logs for signs of unauthorized changes
• Consider implementing additional input validation on XAJAX parameters
• Monitor for suspicious XAJAX requests in web server access logs

Evidence notes

CVE published 2026-05-28. SourceBans Material Admin is a web-based administration panel for Source engine game servers. The vulnerability involves improper authorization or input validation in XAJAX endpoints, allowing attackers to modify user data without proper authentication or authorization checks. The fix version is v.1.1.6 (commit 3ecd95e). GitHub issue #374 tracks this vulnerability.

Official resources