Skip to main content

Paymenter CVE-2026-44584

MEDIUM
Improper Authentication (CWE-287)
2026-06-22 https://github.com/Paymenter/Paymenter GHSA-rv89-wch8-c574
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Requires authenticated low-privileged session (PR:L) to reach the email update endpoint; impact is integrity-only with no confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 20:51 vuln.today
Analysis Generated
Jun 22, 2026 - 20:51 vuln.today

DescriptionGitHub Advisory

Summary

The email update functionality fails to invalidate the existing verification state when a user changes their email address, allowing a verified account to retain its verified status after switching to an unverified or unowned email address.

Technical Details

When a user updated their email address, the system did not reset or revalidate the associated email verification status. As a result, the verification column remained set to “true” even after the email address was changed.

This allowed an attacker to:

  • Verify an account using a legitimate email address
  • Change the account email to an arbitrary or unowned address
  • Retain the verified status without re-confirmation of the new email

No verification challenge or confirmation was required for the newly assigned email address.

Impact

This vulnerability allows a user to associate a verified account with an email address they do not control, this may result in:

  • Misrepresentation of email ownership
  • Bypass of verification-based trust assumptions
  • Potential abuse of features gated behind verified status

No direct unauthorized access to other users accounts or data is possible through this issue alone.

AnalysisAI

Email verification bypass in Paymenter allows authenticated users to retain verified account status after changing their email to an address they do not own or control. The email update function fails to reset the verification column, meaning a user who initially verifies with a legitimate address can subsequently substitute any arbitrary email and keep the verified flag intact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register account with owned email
Delivery
Complete standard email verification flow
Exploit
Authenticate to account settings
Execution
Submit email update to unowned/arbitrary address
Persist
Verification column remains true without reset
Impact
Access verification-gated features under false email ownership

Vulnerability AssessmentAI

Exploitation Exploitation requires an existing authenticated user account on the Paymenter instance (confirmed by CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N is consistent with the described behavior: network-accessible, low complexity, but gated behind an authenticated session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a Paymenter account using a legitimate email address they control, completes the standard verification flow, then navigates to the account settings and changes their email to a target address they do not own - such as a competitor's domain or a victim's address. Because the verification column is never reset, the account immediately shows as verified against the new, unowned email with no confirmation sent. …
Remediation Upgrade Paymenter to version 1.5.0 or later; this is the vendor-confirmed fix as documented in the GitHub Security Advisory GHSA-rv89-wch8-c574 at https://github.com/Paymenter/Paymenter/security/advisories/GHSA-rv89-wch8-c574. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44584 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy