Critical (9.9)

CVE-2026-26009

Catalyst is a platform built for enterprise game server hosts, game communities, and billing panel integrations. Install scripts defined in server templates execute directly on the host operating syst...

CVSS Score 9.9

Overview

A critical security vulnerability has been identified in the Catalyst platform, a system used for managing game servers. This flaw allows unauthorized users to execute any command with the highest level of system privileges (root) on every machine in a server cluster.

Vulnerability Explanation

In simple terms, Catalyst uses templates to set up and configure game servers. The scripts inside these templates run directly on the host machine’s operating system without any isolation—like a protective container or sandbox. Crucially, these scripts execute automatically with full administrative (root) rights.

The problem is that any user account with permissions to create or modify these templates (template.create or template.update) can insert malicious shell commands into a template. When the platform processes this template, it will run those commands, giving the attacker complete control over the host system.

Potential Impact

The impact of this vulnerability is severe:

  • Full System Compromise: An attacker can achieve root-level remote code execution on every node (physical or virtual machine) in the Catalyst cluster.
  • Data Breach: Sensitive data on these hosts, including game server data, user information, and billing details, can be accessed, stolen, or destroyed.
  • Service Disruption: Attackers can disrupt, disable, or delete game servers and hosting infrastructure.
  • Cluster-Wide Attack: Compromising one node can serve as a foothold to attack all other machines in the managed cluster.

Remediation and Mitigation

Immediate action is required to secure affected deployments.

1. Primary Remediation (Patching): The vulnerability is fixed in the Catalyst source code. Administrators must update their Catalyst installation to a version that includes commit 11980aaf3f46315b02777f325ba02c56b110165d or later. Consult the official Catalyst documentation or repository for the latest patched release.

2. Immediate Mitigation: If immediate patching is not possible, apply the following strict access controls as a temporary measure:

  • Review and Restrict Permissions: Immediately audit all user accounts and remove the template.create and template.update permissions from any user who does not absolutely require them. Limit these privileges to only a few essential, trusted administrators.
  • Audit Existing Templates: Review all existing server templates for any suspicious or unauthorized commands.

3. General Recommendation: After applying the patch, consider implementing additional security layers, such as regular permission audits and network segmentation for management panels, to reduce the impact of potential future vulnerabilities.