CVE-2026-44443 prolix-oc CVE debrief

Who should care

Organizations running Lumiverse instances prior to 0.9.7, particularly those with admin-managed user provisioning workflows. Security teams monitoring for authentication bypass vulnerabilities in AI/ML application platforms. Developers implementing nonce-based authentication protections should review their implementations for similar session-binding deficiencies.

Technical summary

The vulnerability stems from improper synchronization in the nonce consumption mechanism. The `consumeNonce()` function only verifies that a module-level nonce variable exists and is unexpired, without cryptographically binding the nonce to the initiating admin session or validating request-specific parameters. When BetterAuth's validation layer rejects a duplicate email before the before hook fires, the nonce remains in a consumable state. The 10-second expiration window creates a race condition where an attacker can submit a crafted POST request to `/api/auth/sign-up/email` and successfully register an account. This represents a classic time-of-check to time-of-use (TOCTOU) vulnerability in authentication flow state management.

Defensive priority

medium

Recommended defensive actions

• Upgrade Lumiverse to version 0.9.7 or later to remediate this vulnerability
• Implement additional server-side validation to bind nonces to specific admin sessions
• Add request origin validation for sensitive authentication endpoints
• Monitor authentication logs for anomalous account creation patterns during admin user management activities
• Consider implementing rate limiting on the `/api/auth/sign-up/email` endpoint to reduce race condition exploitation windows

Evidence notes

The vulnerability description indicates this is a race condition in nonce handling during email signup. The 10-second window and specific API endpoint `/api/auth/sign-up/email` are confirmed in the source material. The fix version 0.9.7 is explicitly stated.

Official resources