CVE-2026-44443 Overview
CVE-2026-44443 is a race condition vulnerability in Lumiverse, a full-featured AI chat application. The flaw resides in the consumeNonce() function, which fails to validate request-bound nonce values or tie them to the admin's session. When an admin's auth.api.signUpEmail() call fails at the BetterAuth validation layer due to a duplicate email, the nonce is set but never consumed. Any POST /api/auth/sign-up/email request arriving within the 10-second window registers successfully. The vulnerability is tracked as [CWE-362] and is fixed in version 0.9.7.
Critical Impact
An attacker who observes or predicts admin user-creation activity can race the 10-second window to register an unauthorized account on the Lumiverse instance.
Affected Products
- Lumiverse versions prior to 0.9.7
- Lumiverse deployments using BetterAuth email sign-up flow
- Self-hosted Lumiverse AI chat instances exposing /api/auth/sign-up/email
Discovery Timeline
- 2026-05-26 - CVE-2026-44443 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-44443
Vulnerability Analysis
The vulnerability stems from improper synchronization in the nonce-based authorization flow that protects admin-initiated user registration. The consumeNonce() function only verifies that a module-level nonce variable is set and unexpired. It does not compare any value from the incoming HTTP request against the stored nonce. It also fails to bind the nonce to the admin's authenticated session.
The flaw is categorized under [CWE-362] (Concurrent Execution using Shared Resource with Improper Synchronization). The attack vector is network-based and requires high attack complexity, since the attacker must win a 10-second timing race. No prior authentication or user interaction is required to register the unauthorized account.
Root Cause
The root cause is a logic gap between the BetterAuth validation layer and the Lumiverse before hook. When an admin submits auth.api.signUpEmail() with a duplicate email, BetterAuth rejects the request at validation. The nonce-setting code has already executed, but the consumption hook never fires. The nonce remains valid in shared module-level state for the full expiration window.
Attack Vector
An attacker monitors or predicts admin behavior around user creation attempts that produce duplicate-email failures. During the resulting 10-second window, the attacker submits a crafted POST /api/auth/sign-up/email request. The server treats the request as authorized because consumeNonce() finds the lingering nonce. The attacker successfully creates an account without admin approval. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-44443
Indicators of Compromise
- Unexpected user accounts created shortly after admin sign-up attempts that returned duplicate-email errors
- POST /api/auth/sign-up/email requests originating from IP addresses outside the admin's known network ranges
- Sign-up requests arriving within seconds of a logged BetterAuth duplicate-email validation failure
Detection Strategies
- Correlate failed admin signUpEmail() calls with subsequent successful sign-up events within a 10-second window
- Alert on any /api/auth/sign-up/email success that is not preceded by a fully consumed nonce in application logs
- Review BetterAuth validation-layer rejections and match them against new account creation timestamps
Monitoring Recommendations
- Enable verbose logging on the Lumiverse authentication module, including nonce set and consume events
- Forward authentication logs to a centralized SIEM for time-window correlation analysis
- Track all newly registered accounts and validate them against the admin's intended provisioning list
How to Mitigate CVE-2026-44443
Immediate Actions Required
- Upgrade Lumiverse to version 0.9.7 or later, which contains the official fix
- Audit all accounts created since deployment to identify any that were not provisioned by an admin
- Rotate credentials and revoke sessions for any account suspected of unauthorized registration
Patch Information
The vulnerability is fixed in Lumiverse 0.9.7. The patch corrects consumeNonce() so that it validates a request-bound nonce value and binds the nonce to the admin's session. Refer to the GitHub Security Advisory GHSA-6fcp-x253-wwv7 for full remediation guidance.
Workarounds
- Restrict network access to /api/auth/sign-up/email so only trusted admin networks can reach the endpoint
- Avoid creating users with potentially duplicate email addresses until the patch is applied
- Place the Lumiverse instance behind a reverse proxy that enforces authentication on sign-up routes
# Configuration example: restrict sign-up endpoint at the reverse proxy
location = /api/auth/sign-up/email {
allow 10.0.0.0/8; # admin network only
deny all;
proxy_pass http://lumiverse_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
