CVE-2026-22665 Overview
CVE-2026-22665 is an identity confusion vulnerability in prompts.chat that exists due to inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths. This flaw allows attackers to create case-variant usernames that bypass uniqueness checks, enabling account impersonation and content injection attacks.
The vulnerability stems from improper handling of alphabetic case sensitivity (CWE-178), where the application fails to consistently normalize username comparisons. Attackers can exploit non-deterministic username resolution to impersonate victim accounts, replace profile content on canonical URLs, and inject attacker-controlled metadata and content across the platform.
Critical Impact
Attackers can impersonate legitimate users by registering case-variant usernames (e.g., "Admin" vs "admin"), hijack canonical profile URLs, and inject malicious content that appears to originate from trusted accounts.
Affected Products
- prompts.chat (versions prior to commit 1464475)
Discovery Timeline
- 2026-04-03 - CVE-2026-22665 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-22665
Vulnerability Analysis
This identity confusion vulnerability arises from a fundamental inconsistency in how prompts.chat processes usernames during account creation versus account lookup operations. When a user registers an account, the system performs a case-sensitive uniqueness check, allowing "UserName", "username", and "USERNAME" to be registered as distinct accounts. However, when the system resolves usernames for profile display or authentication purposes, it may perform case-insensitive lookups, creating ambiguity about which account should be returned.
This inconsistency creates a race condition of sorts in identity resolution. When multiple case-variant usernames exist, the system's behavior becomes non-deterministic, potentially returning different user records depending on database ordering, caching behavior, or query execution paths. An attacker who creates a case-variant of a target username can effectively hijack the victim's canonical profile URL and inject content that visitors will associate with the legitimate user.
Root Cause
The root cause is classified as CWE-178 (Improper Handling of Case Sensitivity). The application's write path (user registration) treats usernames as case-sensitive strings, while the read path (profile lookup, authentication) performs case-insensitive comparisons. This architectural inconsistency allows multiple accounts with identical normalized usernames to coexist in the database, breaking the implicit assumption that usernames uniquely identify users.
Attack Vector
The attack is network-accessible and requires low privileges (only a valid user account to create the case-variant username). The attacker follows this sequence:
- Identify a target user with a valuable or trusted username (e.g., "admin", "moderator", or a popular contributor)
- Register a new account using a case-variant of the target username (e.g., "Admin" when "admin" exists)
- Populate the attacker's profile with malicious or misleading content
- Wait for visitors to access the canonical profile URL, which may now resolve to the attacker's account due to non-deterministic resolution
- Harvest trust, redirect users to malicious resources, or inject false information that appears to come from the legitimate account
The vulnerability enables confidentiality and integrity impacts as attackers can access profile information and modify the content that users see when visiting canonical profile URLs.
Detection Methods for CVE-2026-22665
Indicators of Compromise
- Multiple user accounts existing in the database with case-variant usernames (e.g., "admin", "Admin", "ADMIN")
- Unusual account creation patterns targeting established or high-value usernames
- User complaints about profile content they did not create or unexpected profile modifications
- Audit log entries showing profile access patterns that don't match the legitimate user's activity
Detection Strategies
- Implement database queries to identify existing case-variant username conflicts by comparing lowercase-normalized usernames
- Monitor user registration events for attempts to create accounts with usernames that match existing users when compared case-insensitively
- Deploy application-level logging to track profile resolution requests and identify non-deterministic behavior
- Review authentication logs for patterns suggesting identity confusion between multiple accounts
Monitoring Recommendations
- Enable comprehensive audit logging for all user registration and profile access operations
- Set up alerts for rapid successive account creations with similar username patterns
- Monitor for user reports of unauthorized profile changes or identity-related complaints
- Implement periodic database integrity checks to identify case-variant username duplicates
How to Mitigate CVE-2026-22665
Immediate Actions Required
- Update prompts.chat to commit 1464475 or later to apply the security fix
- Audit existing user database for case-variant username conflicts and merge or remediate affected accounts
- Notify users who may have been impacted by identity confusion attacks
- Review recent account registrations for potential exploitation attempts
Patch Information
The vulnerability has been addressed in commit 1464475df2698fb7ccd0cdbc382b0750466f891d. The fix ensures consistent case-insensitive username handling across both registration (write) and lookup (read) operations, preventing case-variant usernames from bypassing uniqueness constraints.
For detailed information about the fix, refer to the GitHub Commit and the Pull Request Discussion. Additional technical details are available in the VulnCheck Advisory.
Workarounds
- Implement a custom database constraint or trigger to enforce case-insensitive username uniqueness at the storage layer
- Add application-level middleware to normalize all usernames to lowercase before any database operations
- Manually audit and remove or rename accounts with case-variant usernames until the patch can be applied
- Consider temporarily disabling new user registration if immediate patching is not feasible
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
