#Fix txAdmin trigger for cheats

Title

Explain the issue better, maybe give some pointers on how to fix it…. Will help better then this 👀

Why did bro put suggestion bug and feedback

Idfk

i mean it is kinda a bug imo

Alr explain what you mean before I close this

just more so with FX then us

I'll help them out here since it was my suggestion to open this cause im kinda surprised it hasn't been addressed yet, but maybe there is a reason for that that i am unaware of:

I’d like to report a security vulnerability in txAdmin that allows unauthorized clients to exploit the txcl:setPlayerMode event (used for features like noclip, god mode, etc.) without any authentication or permission checks (i am aware its rare that this happens but should be prevented either way).

🧱 Affected Event(s)

• Event: txcl:setPlayerMode
• Location: txcl (as per docs/events.md)

This event allows clients to toggle admin modes like:

• noclip
• godmode
• superjump
• invisibility

Currently, any client can trigger this event using tools like cheat menus or Lua executors:

// Rough example...............
TriggerServerEvent("txAdmin:playerMode", "noclip", true)

🔥 Impact

• Unauthorized access to admin features like noclip or god mode.
• Security bypass no server-side validation for txAdmin permissions (that i have seen).
• Potential escalation to other txAdmin features if not locked down.

This is already being abused in the wild by various cheat menus.

✅ Recommended Fixes

1. Server-side Permission Checks

Wrap the event handler with server-side permission logic, (e.g. LUA):

RegisterNetEvent("txcl:setPlayerMode")
AddEventHandler("txcl:setPlayerMode", function(mode, state)
    local src = source
    if not IsPlayerAceAllowed(src, "txadmin.menu") then
        DropPlayer(src, "Unauthorized event usage.")
        return
    end

    -- Proceed with mode change
end)

2. Move Sensitive Logic Server-Side

Do not allow clients to control sensitive features directly. Instead:

• Clients request changes.
• Server validates permissions and applies the change.

3. Whitelist & Token-Based Authorization

Use session bound tokens or internal permission layers to limit what events can be fired by which clients (this is extreme and i doubt it will happen).

4. Make Dangerous Features Opt-In

Restrict features like noclip, god, etc., behind a configuration toggle.

🔒 Why This Matters

• txAdmin is trusted by the majority of the FiveM server ecosystem.
• Exploiting txcl:setPlayerMode breaks server trust, especially on semi-public and whitelisted servers.
• Securing this event would prevent a common vector for abuse.

@raw ether idk what to do here

Im honestly not expecting much with where tx is rn if you know what i mean

but yall could surprise me

Wdym

didnt cfx take over the repo?

Yes but tabby’s really the only one working on it

would it be better to report it there

is basically what i mean

Idk

fair

that's what i figured tbh, hes the only one i ever see pushing stuff really! but figured it should be brought up since as tx grows i myself am even noticing more "cheat menus" surfacing

TriggerEvent('txcl:setPlayerMode', "noclip", true)

Thats the one

cheers, i was just trying to fill them in on the issue. until you seen and could respond

Yyp

I just gor it from a friend that uses cheats

Wow such smart boi using chatgpt to create a useless vulnerability report.
Why don't you ask chatgpt how to trigger those "vulnerable events" and then post here the response.

it's the same bullshit "txadmin exploit" that have been circulating, dw about it, but thanks for the ping

Mb

dont worry, I understand why ppl are falling for this

the skiddies that published the "txadmin exploit" are the ones that should be ashamed of themselves

Could care less

@turbid pumice Sorry if my message above was a bit rude, but still, ask chatgpt for how to exploit it

Not my post

Was helping someone out

and I'll help you understand

Clearly stated that

Nah I believe you tbh

I even said in the main chat that it’s not really a tx issue

But figured we should still bring it up incase

🤷

Here is the newset

https://phazemenu.com/cloud/share?key=0dec112daba4350143ee1.pvk

No feelings hurt here man you’re good 😂😂😂

I dont know if it works if u dont have the cheat thi

can you download and share here or in dms the file please?

I am not buying a cheat

U need the cheat

To load the trigger

It works. If you trigger those client events you will get god mode, no clip, etc.

Yup, and that's exactly the reason why this isn't an exploit

those actions are purely client side

See I didn’t know that tbh (even said in my post above that this could all be wrong)

Or

Thought I did

🤦

Sorry Tabby

and all cheats have always given the cheater the option to do stuff like god mode, see player ids, no clip, etc - REGARDLESS IF THEY HAVE TXADMIN OR NOT

so that's the issue

you don't "gain" any new permission or power

They’re truly just triggering a FXSERVER event are they not iirc?

so it's like, I'll leave a hammer at your desk 🔨
Then you go and use the hammer to smash your neighbors head.

... did you exploit the hammer to do that? Not really, because you already had the power to do that with any other hammer you could get anywhere

not fxserver, literally a client event

Yeah you knew what I meant (sorry little tipsy tonight 😂😂)

Those events are the ones that the server uses to respond to the client "you have this permission" or "request accepted, you can now use noclip"

Yeah

That….. shit I feel dumb now

That makes sense

Why it works

The ugliest* part is them, sending the event to give all permissions to the client, which makes them even be able to open the in-game menu, even though they cant do anything in the menu that any cheat wouldn't already let them do
*Ugliest because it really looks like the cheater hacked into your txadmin

I’ve made shit for both FiveM and RedM

I shoulda known that

🤦

Yeah but it’s not truly a breach

I get what you mean

More of a “you think we did something special”

Well, don't feel dumb.
I promise that at my last job I have explained the exact same thing to a board of directors of one of the biggest telecoms in the americas.
Really smart, really rich people, that still didn't understand the first or second time I explained it

client side !== server side

Yeah fair, and honestly that’s why I didn’t take your first response as rude cause I knew it was probably just a WTF moment for you and you would explain eventually

I also tend not to let what people online say bother me… life’s to short 😊

same

Will keep this all noted though for the next time it pops up (I’m sure it will happen)

But speaking solutions, I have a few options

1. Do nothing, as that is only a public opinion issue and not really a technical issue
2. Write some documentation page explaining why this is not really an issue
3. Just add a redundant event to the server to inform that the player has opened the menu, or triggered noclip, etc. and automatically ban them if they are not admin - except this can also easily be bypassed by just intercepting that event lol
4. Rewrite the entire menu code in typescript and add some complex and hard to implement security checks - which also wouldn't solve the issue because cheaters will still be able to use their cheats to trigger noclip/godmode/etc

Honestly, 2. Would be a good idea maybe

At least you wouldn’t have to keep repeating yourself 👀

I'll probably go the route of #3 because I already need to add some kind of statistics collection for menu actions

Fair enough

Oh yeah, and one more option:
5. Make those events be request-response with some sort of random key being sent every time - the issue is that it will add lag / delay to each time you want to do those actions... and it would make the experience feel sluggish

yeah that was one of the suggestions actually some sort of key but i did say and still do think that it would be more work then its worth and yeah like you said causes a delay during the validation/check step