CVE-2026-42188

Name of the Vulnerable Software and Affected Versions Geyser versions prior to 2.9.3

Description A server-side request forgery (SSRF) exists in the handling of Bedrock player head texture data. By supplying a crafted Base64-encoded skin texture URL via the '/give' command, an attacker can cause the Minecraft server to issue arbitrary HTTP GET requests to internal or attacker-controlled endpoints. This occurs because the URL contained in the textures.SKIN.url field is not sufficiently validated when Geyser processes the Base64-encoded JSON value for custom player heads using the minecraft:profile NBT structure. This blind SSRF can be used for internal network probing, cloud metadata access attempts, and IP address disclosure of the Minecraft server.

Recommendations Update to version 2.9.3.