Race Condition in Lumiverse AI Chat Application by Prolix
CVE-2026-44443

4.8MEDIUM

Key Information:

Vendor: Prolix-oc
Status: Lumiverse
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-44443?

Lumiverse, an AI chat application developed by Prolix, contains a race condition vulnerability prior to version 0.9.7. This flaw pertains to the consumeNonce() function, which inadequately validates incoming HTTP request values and fails to bind the nonce to the administrator's session. Consequently, if an attempt to register a user fails due to existing duplicate emails, the nonce remains set but becomes unconsumed. Exploiting this weakness allows an attacker to race against the 10-second window during which a valid nonce is active, enabling them to register unauthorized accounts by sending POST requests to the email signup endpoint. This issue has been addressed in version 0.9.7.

Affected Version(s)

Lumiverse < 0.9.7

References

https://github.com/prolix-oc/Lumiverse/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44443 Data

JSON

Prolix-oc

What is CVE-2026-44443?

Affected Version(s)

References

CVSS V3.1

Timeline