Skip to main content

DeepAI API CVE-2026-49433

| EUVDEUVD-2026-33761 LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-01 cisa-cg GHSA-h9m8-r5ff-p645
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Jun 01, 2026 - 22:02 EUVD
Severity Changed
Jun 01, 2026 - 21:22 NVD
MEDIUM LOW
CVSS changed
Jun 01, 2026 - 21:22 NVD
5.0 (MEDIUM) 2.3 (LOW)
Analysis Generated
Jun 01, 2026 - 20:51 vuln.today

DescriptionCVE.org

The DeepAI endpoint 'https://api.deepai.org/change_user_email' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on 2026-05-20.

AnalysisAI

Cross-site request forgery in the DeepAI platform's account management API allows unauthenticated remote attackers to change an authenticated user's registered email address, enabling full account takeover. The POST endpoint at https://api.deepai.org/change_user_email accepts state-changing requests without any CSRF token or origin validation, meaning a browser will automatically include session credentials when the request is triggered from a third-party page. The vulnerability was fixed server-side on 2026-05-20 per the CVE description; no public exploit or CISA KEV listing is associated with this CVE at time of analysis.

Technical ContextAI

CWE-352 (Cross-Site Request Forgery) describes a class of vulnerabilities where a web application trusts requests that originate from an authenticated browser session without verifying that the user intentionally issued the request. In this case, the DeepAI API endpoint responsible for email address changes does not implement standard CSRF defenses - such as synchronizer tokens, SameSite cookie attributes, or custom request headers that cross-origin requests cannot set (e.g., X-Requested-With). Because browsers automatically attach cookies to cross-origin POST requests (unless the SameSite=Strict or SameSite=Lax cookie policy is enforced), an attacker-controlled page can silently issue a valid POST to the endpoint using the victim's live session. The CPE string cpe:2.3:a:deepai:api.deepai.org:*:*:*:*:*:*:*:* indicates all prior versions of the api.deepai.org service were affected, consistent with a server-side configuration gap rather than a versioned software release.

RemediationAI

The vendor applied a server-side fix on 2026-05-20, meaning users of the hosted api.deepai.org service are protected as of that date with no client-side action required - this is confirmed by the CVE description and corroborated by the CISA CSAF advisory (https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-152-01.json). Organizations using DeepAI API tokens in automated pipelines should audit account email addresses for unauthorized modifications that may have occurred prior to 2026-05-20. If running any self-hosted or on-premises derivative of the DeepAI API codebase, add CSRF token validation to the /change_user_email endpoint and enforce SameSite=Strict or SameSite=Lax on session cookies - noting that SameSite=Strict may break legitimate cross-site OAuth or redirect flows and should be tested before deployment. There is no exact patched software version number to cite, as the fix was applied directly to the live hosted service.

Share

CVE-2026-49433 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy