Multiple user creation with the same email Id via existing verification bypass in heroiclabs/nakama


Reported on

Jun 14th 2022

  1. Hello team, while i was checking on the nakama dashboard as an Administrator i noticed that we can bypass the existing verification and create multiple user with same email id

Steps to reproduce:

  1. Open the dashboard as an adminuser and go to the user management form
  2. Create a user and capture the request with burpsuite and send that request to repeater
  3. when we try to create a user with existing email id, the server will throw error like:
{"code":9,"message":"Username or Email already exists","details":[]}

  1. So we can bypass this validation and create new user with same email id by adding space in the email parameter like:
  1. In this case we have created user1 with email id and we are able to create user2 with the same email id by adding space in the email parameter like thisūüĎá:
  1. For another user with the same EmailID need to add an extra space like this, for each time add extra spaces:


  1. Due to this existing security mechanism bypass the owner can create multiple users via the same email id, and it can lead to business logic risk
  2. If an attacker has access to the admin user then the attacker can create users with the same email id
We are processing your report and will contact the heroiclabs/nakama team within 24 hours. a year ago
drxadz modified the report
a year ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back a year ago
A heroiclabs/nakama maintainer has acknowledged this report a year ago
Andrei Mihu validated this vulnerability a year ago
drxadz has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Andrei Mihu marked this as fixed in 3.13.0 with commit 2192e9 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
a year ago


@admin @maintainer can we go for a CVE? what's your opinion??

Jamie Slome
a year ago


@drxadz - it is up to the maintainer if they want to assign and publish a CVE for this report. Seeing as they did not request a CVE (which they can do through the UI), I assume they do not want one for this report.

to join this conversation