HLAPI - Malicious load scene calls?

Not tested, but looking at the code it seems the server/host can tell the clients to load any scene that is in the game, regardless if they really should have.
In other words, a malicious server/host can just alter the packets to change the scene name so they can tell all clients to load the games startup scene or something possibly more dangerous depending on what you have a scene do.

I think Photon also has this issue (with its PhotonNetwork.automaticallySyncScene), and possibly all other network solutions...

Is this not a concern?

A way I was thinking of handling this was that any scene load messages from the server will just call a event OnServerLoadedScene(string sceneName) and then the client can decide if it wants to load the scene after it does some checks such as if its allowed to load that scene, or even make sure the server isnt spamming scene changes making the client trapped constantly changing scenes.

 

Surley it should be a concern. Game scenes are often used in odd ways as a part of the execution flow. The proper way to do it would be similar to how spawnable prefabs are handled. A set of registered scenes that the server can tell clients to switch to.