CVE-2026-49433
CSRF Vulnerability in DeepAI Email Change Endpoint
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| deepai | change_user_email | to 2026-05-20 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the DeepAI endpoint 'https://api.deepai.org/change_user_email', which accepts POST requests without any Cross-Site Request Forgery (CSRF) protection.
This means that if an attacker tricks a logged-in user into clicking a malicious link, the attacker can change the user's email address and potentially take over their account.
The issue was fixed on 2026-05-20.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to take over a user's account by changing the user's email address without their consent.
Account takeover can lead to unauthorized access to personal data, misuse of the account, and potential further exploitation depending on the account's privileges.