Description
The DeepAI endpoint 'https://api.deepai.org/change_user_email' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on 2026-05-20.
Published: 2026-06-01
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the DeepAI endpoint https://api.deepai.org/change_user_email, which accepts POST requests without any CSRF protection. When a logged‑in user is tricked into visiting a malicious link, an attacker can forge a request that changes the user’s email address. The attacker then gains control of that account, potentially allowing access to the user’s data and any services that rely on that account. The weakness is identified as a classic CSRF flaw (CWE‑352).

Affected Systems

The affected product is the DeepAI API hosted on api.deepai.org. The issue applies to all affected API versions prior to the fix released on May 20 2026; no specific version numbers are listed in the CVE data.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity vulnerability. No EPSS score is provided, so the current probability of exploitation cannot be determined from this data. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known high‑profile exploitation. The likely attack vector is CSRF, requiring a user to be authenticated and to click a malicious link or visit a compromised site. The absence of CSRF tokens makes the attack trivial once the user is tricked, but the overall impact remains limited to account takeover, not influencing broader system integrity or availability.

Generated by OpenCVE AI on June 1, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the API version released after 2026‑05‑20 that includes CSRF protection.
  • Configure CSRF verification or add a server‑side anti‑CSRF token to all state‑changing requests if the API platform allows it.
  • Restrict the endpoint to specific IP addresses or require re‑authentication for email‑change operations if a quick patch is unavailable.

Generated by OpenCVE AI on June 1, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Deepai
Deepai api.deepai.org
Vendors & Products Deepai
Deepai api.deepai.org

Mon, 01 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description The DeepAI endpoint 'https://api.deepai.org/change_user_email' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on 2026-05-20.
Title DeepAI api.deepai.org/change_user_email CSRF
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Deepai Api.deepai.org
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-06-01T20:30:58.784Z

Reserved: 2026-05-29T20:47:19.033Z

Link: CVE-2026-49433

cve-icon Vulnrichment

Updated: 2026-06-01T20:30:54.783Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T21:16:47.203

Modified: 2026-06-02T13:04:12.153

Link: CVE-2026-49433

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:52:39Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)