CVE-2026-44443
Description
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce() only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail() call fails before the before hook fires (e.g. BetterAuth rejects a duplicate email at the validation layer), the nonce is set but never consumed. Any POST /api/auth/sign-up/email request that arrives during the remaining window registers successfully regardless of who sent it. An attacker who can observe or predict when the admin is creating users (must be a dupplicate user) can race the 10-second window to register an unauthorized account. This vulnerability is fixed in 0.9.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Lumiverse prior to 0.9.7 uses a module-level nonce without session binding, allowing a race condition that lets an attacker register an unauthorized account within a 10-second window.
Vulnerability
In Lumiverse versions before 0.9.7, the user creation gate relies on a module-level nonce with a 10-second validity. The nonce is set when an admin calls allowCreation(), but consumeNonce() only checks that the module-level variable is set and unexpired, without validating any value from the incoming HTTP request or binding the nonce to the admin's session [1]. If the admin's auth.api.signUpEmail() call fails before the before hook fires (e.g., BetterAuth rejects a duplicate email), the nonce is set but never consumed, leaving a window for unauthorized account registration [1].
Exploitation
An attacker who can observe or predict when the admin is creating users (specifically attempting to create a duplicate user) can send a malicious POST /api/auth/sign-up/email request within the 10-second window after the nonce is set but before it is consumed [1]. Since consumeNonce() does not bind the nonce to the admin's session, any request arriving during that window will succeed in registering an account regardless of the sender [1].
Impact
A successful exploit allows an attacker to register an unauthorized account in the Lumiverse application, gaining unauthenticated access to the system with whatever privileges are granted to newly registered users [1]. This represents a breach of authentication integrity, potentially leading to further unauthorized actions within the application.
Mitigation
The vulnerability is fixed in Lumiverse version 0.9.7 [1]. Administrators should upgrade to this or a later version immediately. No workaround is mentioned in the available references [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing nonce-to-request binding in consumeNonce() allows any unauthenticated request to consume a nonce set by a failed admin user-creation attempt."
Attack vector
An attacker must observe or predict when an admin attempts to create a user that already exists (a duplicate email), causing `auth.api.signUpEmail()` to fail after `allowCreation()` has set the nonce but before the `before` hook fires to consume it [ref_id=1]. The nonce remains valid for a 10-second window, during which any unauthenticated `POST /api/auth/sign-up/email` request will be accepted because `consumeNonce()` does not bind the nonce to the admin's session or validate any request-specific value [ref_id=1]. The attacker polls the endpoint every 8 seconds and wins the race when the nonce is active, registering an arbitrary account without authentication [ref_id=1].
Affected code
The module-level variables `creationNonce` and `creationNonceExpiry` in the sign-up gate are set by `allowCreation()` and consumed by `consumeNonce()`. The `consumeNonce()` function only checks that the nonce is set and unexpired — it does not accept or validate any value from the incoming HTTP request [ref_id=1]. The nonce is set before `auth.api.signUpEmail()` is called, and consumed in the `databaseHooks.user.create.before` hook [ref_id=1].
What the fix does
The advisory recommends binding the nonce to the specific request rather than to module state: pass the nonce value into `consumeNonce(expected)` and verify `creationNonce === expected`, so only the admin's own `signUpEmail()` call can consume it [ref_id=1]. This closes the race by ensuring that a nonce set by one request cannot be consumed by a different, unrelated request. The fix is included in Lumiverse version 0.9.7 [ref_id=1].
Preconditions
- inputAn admin must attempt to create a user with an email that already exists (duplicate), causing signUpEmail() to fail after allowCreation() sets the nonce
- networkAttacker must send a POST /api/auth/sign-up/email request within the 10-second nonce validity window
- authNo authentication required for the attacker's request
Reproduction
1. Setup Lumiverse and an admin account. 2. From the admin interface, attempt to create a user with an email that already exists (a duplicate). 3. Within 10 seconds of that failed request, run `node poc-nonce-race.mjs [base_url]` (the PoC script polls every 8 seconds). 4. Observe that the script successfully creates an arbitrary unauthenticated user account [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.