CVE-2026-44443 - Vulnerability Details

Description

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce() only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail() call fails before the before hook fires (e.g. BetterAuth rejects a duplicate email at the validation layer), the nonce is set but never consumed. Any POST /api/auth/sign-up/email request that arrives during the remaining window registers successfully regardless of who sent it. An attacker who can observe or predict when the admin is creating users (must be a dupplicate user) can race the 10-second window to register an unauthorized account. This vulnerability is fixed in 0.9.7.

Published: 2026-05-26

Score: 4.8 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An unbound sign‑up nonce creates a race condition that lets an attacker create an account during a 10‑second window when the admin's account creation fails before the nonce is consumed. The attacker does not need to bypass authentication; merely sending a sign‑up request during that window registers the account regardless of the caller. This flaw is a classic race condition (CWE‑362) and results in unauthorized access, potentially giving an attacker the ability to bypass restrictions or conduct phishing or credential stuffing attacks with the newly registered account.

Affected Systems

The vulnerability exists in Lumiverse versions prior to 0.9.7. All installations of the Lumiverse chat application from the progenitor "prolix‑oc" vendor are affected unless the software has been updated to 0.9.7 or later.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate impact. EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog, implying no widely deployed exploits are known. The attack requires the ability to observe or predict when an admin attempts to create a duplicate user and to send a sign‑up request during the remaining 10‑second window. The likely vector is within the same network or a user of the service who can time requests; it is inferred rather than explicitly stated in the advisory.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

prolix-oc

Lumiverse

affected

Version	Status	Constraints
`< 0.9.7`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Lumiverse to version 0.9.7 or later, which fixes the nonce validation logic.
If a patch cannot be applied immediately, restrict normal users from creating accounts during admin sign‑up sessions, or enforce strict email uniqueness checks to prevent duplicate email creation.
Monitor authentication logs for unexpected sign‑up events and alert on patterns that match the race‑condition window.

Generated by OpenCVE AI on May 26, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-6fcp-x253-wwv7

History

Tue, 26 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce() only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail() call fails before the before hook fires (e.g. BetterAuth rejects a duplicate email at the validation layer), the nonce is set but never consumed. Any POST /api/auth/sign-up/email request that arrives during the remaining window registers successfully regardless of who sent it. An attacker who can observe or predict when the admin is creating users (must be a dupplicate user) can race the 10-second window to register an unauthorized account. This vulnerability is fixed in 0.9.7.
Title		Lumiverse: Sign-up nonce race condition allows unauthorized account registration
Weaknesses		CWE-362
References		https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-6fcp-x253-wwv7
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-26T20:02:39.562Z

Updated: 2026-05-26T20:02:39.562Z

Reserved: 2026-05-06T15:49:25.191Z

Link: CVE-2026-44443

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-26T21:16:37.760

Modified: 2026-05-26T21:16:37.760

Link: CVE-2026-44443

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T21:30:16Z

Weaknesses

CWE-362

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object