CVE-2026-22665
Identity Confusion in prompts.chat Allows Account Impersonation
Publication date: 2026-04-03
Last updated on: 2026-04-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fka | prompts.chat | to 2026-03-24 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-178 | The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in prompts.chat prior to commit 1464475 and is an identity confusion issue caused by inconsistent handling of usernames. Specifically, the system treats usernames differently when writing (case-sensitive) versus reading (case-insensitive), allowing attackers to create usernames that differ only in letter case. This bypasses uniqueness checks.
As a result, attackers can exploit this inconsistency to impersonate other users by resolving usernames in a non-deterministic way, replace profile content on canonical URLs, and inject attacker-controlled metadata and content across the platform.
How can this vulnerability impact me? :
The vulnerability can have serious impacts including unauthorized impersonation of victim accounts, which can lead to trust and security breaches.
- Attackers can replace profile content on official URLs, misleading other users.
- Attackers can inject malicious or attacker-controlled metadata and content across the platform, potentially leading to misinformation or further exploitation.