CVE-2026-22665
Published: 03 April 2026
Summary
CVE-2026-22665 is a high-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Fka Prompts.Chat. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-4 (Identifier Management).
Deeper analysis
CVE-2026-22665, published on 2026-04-03, is an identity confusion vulnerability (CWE-178) in the prompts.chat application prior to commit 1464475. The issue arises from inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths, enabling attackers to register case-variant usernames that bypass uniqueness checks during creation. This leads to non-deterministic username resolution, with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
An attacker with low privileges (PR:L), such as a registered user, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By creating a case-variant username that matches a victim's canonical username, the attacker can impersonate the victim account, replace profile content displayed on canonical URLs, and inject attacker-controlled metadata and content across the platform, compromising confidentiality and integrity.
Mitigation is provided via commit 1464475df2698fb7ccd0cdbc382b0750466f891d, merged through pull request #1098 on the prompts.chat GitHub repository. Security practitioners should update affected prompts.chat instances to this commit or later to enforce consistent case handling and prevent bypasses. Further technical details are outlined in the VulnCheck advisory.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18829
Vulnerability details
prompts.chat prior to commit 1464475, contains an identity confusion vulnerability due to inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths, allowing attackers to create case-variant usernames that bypass uniqueness checks. Attackers can exploit non-deterministic username resolution…
more
to impersonate victim accounts, replace profile content on canonical URLs, and inject attacker-controlled metadata and content across the platform.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public web app (prompts.chat) directly enables exploitation via T1190; resulting case-variant username bypass facilitates account impersonation (T1656) and profile/content injection.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces consistent identifier (username) management and uniqueness validation across create/read paths, directly blocking case-variant registration that enables impersonation.
Requires reliable identity-to-access mapping before allowing profile/content operations, preventing the non-deterministic resolution that lets attackers replace victim data on canonical URLs.
Mandates account provisioning rules that include case-insensitive uniqueness checks, stopping the initial bypass used to create attacker-controlled variant accounts.