CVE-2026-44443
4.8 MEDIUMLumiverse is a full-featured AI chat application
Published: 2026-05-26 · Last updated: 2026-05-28
Severity and scoring
- CVSS
- 4.8 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
- CWE
- CWE-362
Description
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce() only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail() call fails before the before hook fires (e.g. BetterAuth rejects a duplicate email at the validation layer), the nonce is set but never consumed. Any POST /api/auth/sign-up/email request that arrives during the remaining window registers successfully regardless of who sent it. An attacker who can observe or predict when the admin is creating users (must be a dupplicate user) can race the 10-second window to register an unauthorized account. This vulnerability is fixed in 0.9.7.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2025-13036 — An authentication bypass security issue exists within FactoryTalk Historian Site Edition
- CVE-2026-48708 — OliveTin gives access to predefined shell commands from a web interface (7.5 HIGH)
- CVE-2026-54229 — A race condition was found in the abrt-dbus D-Bus service's ChownProblemDir method (7.0 HIGH)
- CVE-2026-12022 — Race in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process ... (8.3 HIGH)
- CVE-2026-46693 — ImageMagick is free and open-source software used for editing and manipulating digital images (4.1 MEDIUM)