CVE-2026-49433
CSRF Vulnerability in DeepAI Email Change Endpoint
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| deepai | change_user_email | to 2026-05-20 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the DeepAI endpoint 'https://api.deepai.org/change_user_email', which accepts POST requests without any Cross-Site Request Forgery (CSRF) protection.
This means that if an attacker tricks a logged-in user into clicking a malicious link, the attacker can change the user's email address and potentially take over their account.
The issue was fixed on 2026-05-20.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to take over a user's account by changing the user's email address without their consent.
Account takeover can lead to unauthorized access to personal data, misuse of the account, and potential further exploitation depending on the account's privileges.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the DeepAI endpoint 'https://api.deepai.org/change_user_email' is protected against CSRF attacks. This can be done by applying the fix released on 2026-05-20 or by implementing CSRF protection mechanisms such as requiring anti-CSRF tokens for POST requests.
Additionally, educate users to avoid clicking on suspicious links while logged in, as the attack requires user interaction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to change a logged-in user's email address without CSRF protection, potentially leading to account takeover. This could result in unauthorized access to personal data, which may impact compliance with data protection regulations such as GDPR and HIPAA that require safeguarding user data and preventing unauthorized access.
However, the provided context and resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the DeepAI API endpoint 'https://api.deepai.org/change_user_email' accepting POST requests without CSRF protection, which can be exploited if a logged-in user is tricked into clicking a malicious link.
To detect attempts to exploit this vulnerability on your network or system, you can monitor HTTP POST requests to the endpoint 'https://api.deepai.org/change_user_email'. Look for unusual or unexpected POST requests originating from user sessions.
Example commands to detect such activity might include using network traffic analysis tools or web server logs filtering for POST requests to the vulnerable endpoint.
- Using tcpdump to capture POST requests to the endpoint: tcpdump -i any -A 'tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /change_user_email'
- Using grep on web server logs to find POST requests to the endpoint: grep 'POST /change_user_email' /var/log/nginx/access.log
- Using a web application firewall (WAF) or intrusion detection system (IDS) to alert on POST requests to the vulnerable endpoint without proper CSRF tokens.