PatchSiren cyber security CVE debrief
CVE-2026-22665 f CVE debrief
CVE-2026-22665 documents an identity confusion vulnerability in Prompts.chat, a platform for sharing and discovering AI prompts. The vulnerability stems from inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths in the application code prior to commit 1464475. This inconsistency allows attackers to create case-variant usernames (e.g., 'UserName' vs 'username') that bypass uniqueness checks, enabling account impersonation and content injection. The vulnerability was published on April 3, 2026, and modified on May 26, 2026. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges, and high impact to confidentiality and integrity. The underlying weakness is categorized as CWE-178 (Incorrect Case Sensitivity). A patch is available via GitHub commit 1464475df2698fb7ccd0cdbc382b0750466f891d.
- Vendor
- f
- Product
- prompts.chat
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-03
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-04-03
- Advisory updated
- 2026-05-26
Who should care
Organizations operating Prompts.chat instances, security teams monitoring for authentication bypass vulnerabilities, and developers building user management systems with username-based identification.
Technical summary
The vulnerability exists in the username handling logic of Prompts.chat where write operations (account creation) and read operations (authentication, profile resolution) apply different case sensitivity rules. This allows an attacker to register a username that differs only in case from an existing account (e.g., 'Admin' when 'admin' exists). Depending on the code path executed, the platform may resolve to either account non-deterministically. Attackers can exploit this to: (1) impersonate victim accounts by triggering resolution to the attacker's case-variant account, (2) replace profile content on canonical URLs due to routing confusion, and (3) inject attacker-controlled metadata and content that appears associated with the victim's identity. The fix in commit 1464475 enforces consistent case-sensitive handling throughout the application.
Defensive priority
HIGH
Recommended defensive actions
- Apply the patch from commit 1464475df2698fb7ccd0cdbc382b0750466f891d to ensure consistent case-sensitive username handling across all authentication and authorization paths.
- Audit existing user accounts for case-variant duplicates that may have been created prior to patching.
- Implement canonical username storage (e.g., lowercase normalization) with case-preserving display names to prevent future collisions.
- Review access control logic to ensure username comparisons use consistent case sensitivity throughout the application stack.
- Monitor for suspicious account creation patterns involving case variations of existing usernames.
Evidence notes
The vulnerability description and timeline are sourced from NVD records. The patch commit and advisory references are attributed to [email protected]. CPE criteria confirm affected versions prior to 2026-03-24.
Official resources
-
CVE-2026-22665 CVE record
CVE.org
-
CVE-2026-22665 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
2026-04-03T21:17:09.693Z