Skip to main content

Lumiverse CVE-2026-44443

| EUVDEUVD-2026-31982 MEDIUM
Race Condition (CWE-362)
2026-05-26 GitHub_M
4.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
May 26, 2026 - 22:02 EUVD
Analysis Generated
May 26, 2026 - 21:04 vuln.today

DescriptionGitHub Advisory

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce() only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail() call fails before the before hook fires (e.g. BetterAuth rejects a duplicate email at the validation layer), the nonce is set but never consumed. Any POST /api/auth/sign-up/email request that arrives during the remaining window registers successfully regardless of who sent it. An attacker who can observe or predict when the admin is creating users (must be a dupplicate user) can race the 10-second window to register an unauthorized account. This vulnerability is fixed in 0.9.7.

AnalysisAI

Lumiverse's sign-up nonce mechanism prior to version 0.9.7 allows unauthenticated remote attackers to register unauthorized accounts by exploiting a race condition in the consumeNonce() function. When an admin's user-creation request fails due to a duplicate email - causing BetterAuth to reject at the validation layer - the nonce is set but never consumed, leaving a 10-second window during which any POST to /api/auth/sign-up/email will succeed regardless of the sender. No public exploit code exists and no CISA KEV listing is present; exploitation requires precise timing and the ability to observe or predict an admin's failed duplicate-email attempt, consistent with the CVSS AC:H rating.

Technical ContextAI

Lumiverse (cpe:2.3:a:prolix-oc:lumiverse:*:*:*:*:*:*:*:*) is an AI chat application that integrates BetterAuth for account management. The vulnerable component is consumeNonce(), a server-side guard on the POST /api/auth/sign-up/email endpoint. The function only checks whether a module-level (shared) nonce variable is populated and within its expiry window - it neither validates any nonce token present in the incoming HTTP request nor binds the nonce to the initiating admin's session. CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization) precisely describes this root cause: the nonce is a shared mutable state that is written during an admin-initiated flow but skips consumption when BetterAuth rejects the underlying signUpEmail() call at the validation layer (e.g., a duplicate email conflict). The resulting 10-second expiry window becomes a de facto open registration slot exploitable by any concurrent network request.

RemediationAI

The primary fix is to upgrade Lumiverse to version 0.9.7, which corrects the nonce implementation as confirmed by the vendor advisory at https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-6fcp-x253-wwv7. The patch is expected to bind the nonce to the admin's session and/or validate a per-request token, eliminating the shared-state race condition. If immediate upgrade is not feasible, operators should restrict network access to the POST /api/auth/sign-up/email endpoint via reverse-proxy ACLs or firewall rules, limiting requests to trusted administrative source IPs only - note this may break legitimate self-registration workflows if any are in use. An additional compensating control is to disable open user registration entirely and route all account creation through a privileged admin-only API surface, isolating the vulnerable endpoint from untrusted callers until the patch can be applied.

Share

CVE-2026-44443 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy