Description
prompts.chat prior to commit 1464475 contains an identity confusion vulnerability due to inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths, allowing attackers to create case-variant usernames that bypass uniqueness checks. Attackers can exploit non-deterministic username resolution to impersonate victim accounts, replace profile content on canonical URLs, and inject attacker-controlled metadata and content across the platform.
Published: 2026-04-03
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Account Impersonation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises when prompts.chat treats usernames inconsistently: writes are case-sensitive while reads are case-insensitive, enabling an attacker to register an account that differs only by letter case. This case‑variant account passes uniqueness checks and later resolves to the same canonical username. Consequently, an attacker can impersonate an existing user, replace that user's profile data, and insert malicious metadata on public URLs. Such actions compromise confidentiality and integrity of user accounts and the overall platform content.

Affected Systems

All versions of prompts.chat before the change that normalizes username handling are vulnerable. The fix was introduced in commit 1464475 of the prompts.chat source repository. The affected product is the prompts.chat web application hosted by fka.

Risk and Exploitability

The CVSS base score of 8.6 marks this issue as high severity. The EPSS score of less than 1% indicates that, while the vulnerability can be exploited easily, the likelihood of exploitation in the wild is currently low. Because it is not listed in the CISA KEV catalog, there is no evidence of known exploitation yet. An attacker can reach the vulnerability remotely by creating a crafted username through the registration or account‑management interfaces, after which the attacker can access or modify data as the victim. Given the severity and ease of exploitation, organizations should prioritize remediation, especially those that expose the service to the public internet.

Generated by OpenCVE AI on April 13, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the updates from commit 1464475 or newer to ensure consistent case handling for usernames.
  • Deploy the updated code and restart the prompts.chat service.
  • Verify that username storage and lookup are now case‑insensitive across all write and read paths.
  • If an immediate update is not possible, restrict username edits or temporarily block new account registrations until the patch is applied.

Generated by OpenCVE AI on April 13, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Fka
Fka prompts.chat
CPEs cpe:2.3:a:fka:prompts.chat:*:*:*:*:*:*:*:*
Vendors & Products Fka
Fka prompts.chat

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared F
F prompts.chat
Vendors & Products F
F prompts.chat

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description prompts.chat prior to commit 1464475 contains an identity confusion vulnerability due to inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths, allowing attackers to create case-variant usernames that bypass uniqueness checks. Attackers can exploit non-deterministic username resolution to impersonate victim accounts, replace profile content on canonical URLs, and inject attacker-controlled metadata and content across the platform.
Title prompts.chat Identity Confusion via Case-Sensitive Username Handling
Weaknesses CWE-178
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F Prompts.chat
Fka Prompts.chat
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T18:02:55.883Z

Reserved: 2026-01-08T19:04:26.364Z

Link: CVE-2026-22665

cve-icon Vulnrichment

Updated: 2026-04-06T18:00:51.565Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T21:17:09.693

Modified: 2026-04-13T18:10:46.217

Link: CVE-2026-22665

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:42Z

Weaknesses