CVE-2026-44443
Deferred Deferred - Pending Action
Authentication Bypass in Lumiverse AI Chat

Publication date: 2026-05-26

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce() only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail() call fails before the before hook fires (e.g. BetterAuth rejects a duplicate email at the validation layer), the nonce is set but never consumed. Any POST /api/auth/sign-up/email request that arrives during the remaining window registers successfully regardless of who sent it. An attacker who can observe or predict when the admin is creating users (must be a dupplicate user) can race the 10-second window to register an unauthorized account. This vulnerability is fixed in 0.9.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-28
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-44443
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lumiverse ai_chat_application 0.9.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Lumiverse AI chat application versions prior to 0.9.7. The function consumeNonce() only checks if a module-level nonce variable is set and unexpired but does not validate the nonce against the incoming HTTP request or bind it to the admin's session.

If an admin's sign-up email call fails before a certain hook fires (for example, if BetterAuth rejects a duplicate email), the nonce remains set but is never consumed. During this remaining window (about 10 seconds), any POST request to /api/auth/sign-up/email can register successfully regardless of who sent it.

An attacker who can observe or predict when the admin is creating users, especially duplicate users, can exploit this timing window to register unauthorized accounts.

This issue was fixed in version 0.9.7.

Impact Analysis

This vulnerability allows an attacker to register unauthorized user accounts by exploiting a timing window during the admin's user creation process.

Such unauthorized accounts could potentially be used to gain improper access, escalate privileges, or perform malicious actions within the Lumiverse application.

Because the attacker does not need to be authenticated and only needs to predict or observe the admin's actions, this can lead to unauthorized access and compromise of the system's integrity.

Mitigation Strategies

The vulnerability is fixed in Lumiverse version 0.9.7. Immediate mitigation involves upgrading Lumiverse to version 0.9.7 or later.

Until the upgrade is applied, be aware that any POST /api/auth/sign-up/email requests during a 10-second window after a failed signUpEmail() call may allow unauthorized account registration.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44443. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart