The 26.1.2 patch quietly fixed a bug where spectators could attack and damage others under certain conditions. Exposed servers had to restart after the Tiny Takeover drop while a new hardening guide tells admins exactly how broken things got.
Right after the cutesy Tiny Takeover update hit in late March, server operators discovered a nasty surprise. Players in spectator mode could attack others under specific conditions. The bug turned invisible admin oversight into invisible PvP griefing. Mojang rolled out 26.1.1 for chat reporting failures then 26.1.2 specifically for this.
What the hardening guide actually says
The Supercraft Host guide published in the last few days lays out the checklist. Update to the 26.1.2 JAR immediately. Run Java 21 or 25. Set enforce-secure-profile to true and stop using the old workaround. Audit who has operator permissions. Test every plugin that touches EntityDamageEvent or gamemode switches. Paper, Folia and Leaf builds have backports but you still have to verify.
Chat reporting also got fixed so reports no longer silently fail in Mojang’s moderation pipeline. Signed chat mechanics stayed the same and profile keys still rotate on schedule. The guide notes that most plugin servers already bypassed some of these via SecureProfile but everyone needs to double-check with their specific stack.
- Spectator exploit allowed damage while passing through players
- Primarily affected moderation staff using spectator on public servers
- Servers unpatched since 26.1 launch remained exposed
- Fix is server-side only so clients did not need updating
- Hardening also tightens op permissions and profile enforcement
This is the multiplayer reality in 2026. While official drops push baby mobs and golden dandelions that keep pets young forever, the server ecosystem keeps absorbing these targeted hotfixes. Every public Java server admin is now expected to follow hardening trails like this one. The stakes are real: one unpatched spectator admin could ruin worlds without ever appearing on screen.
No massive outrage thread exploded but the quiet release of this guide three days ago shows the work happening behind the scenes. If you run a server check your version and configs today. The next hotfix is apparently already expected before 26.2.
Other
