Cyber Resilience

CVE-2026-22665

HighPublic PoC

Published: 03 April 2026

Published
03 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22665 is a high-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Fka Prompts.Chat. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-4 (Identifier Management).

Deeper analysis

CVE-2026-22665, published on 2026-04-03, is an identity confusion vulnerability (CWE-178) in the prompts.chat application prior to commit 1464475. The issue arises from inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths, enabling attackers to register case-variant usernames that bypass uniqueness checks during creation. This leads to non-deterministic username resolution, with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

An attacker with low privileges (PR:L), such as a registered user, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By creating a case-variant username that matches a victim's canonical username, the attacker can impersonate the victim account, replace profile content displayed on canonical URLs, and inject attacker-controlled metadata and content across the platform, compromising confidentiality and integrity.

Mitigation is provided via commit 1464475df2698fb7ccd0cdbc382b0750466f891d, merged through pull request #1098 on the prompts.chat GitHub repository. Security practitioners should update affected prompts.chat instances to this commit or later to enforce consistent case handling and prevent bypasses. Further technical details are outlined in the VulnCheck advisory.

EU & UK References

Vulnerability details

prompts.chat prior to commit 1464475, contains an identity confusion vulnerability due to inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths, allowing attackers to create case-variant usernames that bypass uniqueness checks. Attackers can exploit non-deterministic username resolution…

more

to impersonate victim accounts, replace profile content on canonical URLs, and inject attacker-controlled metadata and content across the platform.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1684.001 Impersonation Stealth
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
Why these techniques?

Vuln in public web app (prompts.chat) directly enables exploitation via T1190; resulting case-variant username bypass facilitates account impersonation (T1656) and profile/content injection.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22663Same product: Fka Prompts.Chat
CVE-2026-22661Same product: Fka Prompts.Chat
CVE-2026-22664Same product: Fka Prompts.Chat
CVE-2026-28403Same vendor: Fka
CVE-2026-28412Same vendor: Fka
CVE-2025-27636Shared CWE-178
CVE-2026-27587Shared CWE-178
CVE-2024-6866Shared CWE-178
CVE-2026-27588Shared CWE-178
CVE-2026-33691Shared CWE-178

Affected Assets

fka
prompts.chat
≤ 2026-03-24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces consistent identifier (username) management and uniqueness validation across create/read paths, directly blocking case-variant registration that enables impersonation.

prevent

Requires reliable identity-to-access mapping before allowing profile/content operations, preventing the non-deterministic resolution that lets attackers replace victim data on canonical URLs.

prevent

Mandates account provisioning rules that include case-insensitive uniqueness checks, stopping the initial bypass used to create attacker-controlled variant accounts.

References