Paymenter CVE-2026-44584
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Requires authenticated low-privileged session (PR:L) to reach the email update endpoint; impact is integrity-only with no confidentiality or availability consequence.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The email update functionality fails to invalidate the existing verification state when a user changes their email address, allowing a verified account to retain its verified status after switching to an unverified or unowned email address.
Technical Details
When a user updated their email address, the system did not reset or revalidate the associated email verification status. As a result, the verification column remained set to “true” even after the email address was changed.
This allowed an attacker to:
- Verify an account using a legitimate email address
- Change the account email to an arbitrary or unowned address
- Retain the verified status without re-confirmation of the new email
No verification challenge or confirmation was required for the newly assigned email address.
Impact
This vulnerability allows a user to associate a verified account with an email address they do not control, this may result in:
- Misrepresentation of email ownership
- Bypass of verification-based trust assumptions
- Potential abuse of features gated behind verified status
No direct unauthorized access to other users accounts or data is possible through this issue alone.
AnalysisAI
Email verification bypass in Paymenter allows authenticated users to retain verified account status after changing their email to an address they do not own or control. The email update function fails to reset the verification column, meaning a user who initially verifies with a legitimate address can subsequently substitute any arbitrary email and keep the verified flag intact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an existing authenticated user account on the Paymenter instance (confirmed by CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.3 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N is consistent with the described behavior: network-accessible, low complexity, but gated behind an authenticated session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a Paymenter account using a legitimate email address they control, completes the standard verification flow, then navigates to the account settings and changes their email to a target address they do not own - such as a competitor's domain or a victim's address. Because the verification column is never reset, the account immediately shows as verified against the new, unowned email with no confirmation sent. … |
| Remediation | Upgrade Paymenter to version 1.5.0 or later; this is the vendor-confirmed fix as documented in the GitHub Security Advisory GHSA-rv89-wch8-c574 at https://github.com/Paymenter/Paymenter/security/advisories/GHSA-rv89-wch8-c574. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-rv89-wch8-c574