CVE-2026-22665
Published: 03 April 2026
Summary
CVE-2026-22665 is a high-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Fka Prompts.Chat. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-4 (Identifier Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates unique and consistent management of system identifiers such as usernames, directly preventing case-variant confusions that bypass uniqueness checks.
Requires establishment and management of accounts using unique identifiers, preventing creation of duplicate or impersonating case-variant usernames.
Ensures timely remediation of flaws like inconsistent case handling in username resolution, as addressed by commit 1464475.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public web app (prompts.chat) directly enables exploitation via T1190; resulting case-variant username bypass facilitates account impersonation (T1656) and profile/content injection.
NVD Description
prompts.chat prior to commit 1464475 contains an identity confusion vulnerability due to inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths, allowing attackers to create case-variant usernames that bypass uniqueness checks. Attackers can exploit non-deterministic username resolution…
more
to impersonate victim accounts, replace profile content on canonical URLs, and inject attacker-controlled metadata and content across the platform.
Deeper analysisAI
CVE-2026-22665, published on 2026-04-03, is an identity confusion vulnerability (CWE-178) in the prompts.chat application prior to commit 1464475. The issue arises from inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths, enabling attackers to register case-variant usernames that bypass uniqueness checks during creation. This leads to non-deterministic username resolution, with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
An attacker with low privileges (PR:L), such as a registered user, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By creating a case-variant username that matches a victim's canonical username, the attacker can impersonate the victim account, replace profile content displayed on canonical URLs, and inject attacker-controlled metadata and content across the platform, compromising confidentiality and integrity.
Mitigation is provided via commit 1464475df2698fb7ccd0cdbc382b0750466f891d, merged through pull request #1098 on the prompts.chat GitHub repository. Security practitioners should update affected prompts.chat instances to this commit or later to enforce consistent case handling and prevent bypasses. Further technical details are outlined in the VulnCheck advisory.
Details
- CWE(s)