PT-2026-43399 · Lumiverse · Lumiverse

Cu64

·

Published

2026-05-26

·

Updated

2026-05-27

·

CVE-2026-44443

CVSS v3.1

4.8

Medium

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Lumiverse versions prior to 0.9.7
Description The consumeNonce() function only verifies that a module-level variable is set and has not expired, failing to validate values from the incoming HTTP request or bind the nonce to the administrator's session. If an auth.api.signUpEmail() call fails before the before hook executes—such as when BetterAuth rejects a duplicate email—the nonce remains set but is not consumed. This allows any POST request to the '/api/auth/sign-up/email' endpoint arriving within the 10-second window to register successfully, regardless of the sender. An attacker capable of predicting or observing when an administrator attempts to create a duplicate user can exploit this race condition to register an unauthorized account.
Recommendations Update to version 0.9.7.

Exploit

Fix

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44443

Affected Products

Lumiverse