Business logic error: Not able to access newly created admin account with the username admin with the password in heroiclabs/nakama


Reported on

Jul 9th 2022

  1. Hello team, recently I found that I'm able to create dual admin via the same username, by creating a dual admin account we maybe not be able login the newly created admin user-named account.
  2. For example, the default username and password of nakama dashboard will be admin & password
  3. After login into default admin account, we have created another admin account using the following credentials:
username: admin
password: Passwd@123
role: administrator

account creation POC 1

account creation poc 2

  1. Now when we tries to login with newly created account via username & password, we are not able to login the creds, the server is trowing error like: Invalid credentials.
  2. To login with the newly created account, we need to use Email & passoword combo instead of username and password, the username &password combo will not work.

POC Screenrecord video:


  1. business logic
  2. The newly created admin username account can't login with username and password
We are processing your report and will contact the heroiclabs/nakama team within 24 hours. a year ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back a year ago
We have sent a follow up to the heroiclabs/nakama team. We will try again in 7 days. a year ago
heroiclabs/nakama maintainer has acknowledged this report a year ago
Andrei Mihu validated this vulnerability a year ago
drxadz has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Andrei Mihu marked this as fixed in 3.13.0 with commit fcd007 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
10 months ago


@maintainer can you please assign Cve for this report

to join this conversation