CVE-2026-49433
MEDIUMDeepAI - Cross-Site Request Forgery via Email Change Endpoint
Title source: llmDescription
The DeepAI endpoint 'https://api.deepai.org/change_user_email' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on 2026-05-20.
References (3)
Core 3
Core References
Various Sources
https://deepai.org/
Various Sources
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-152-01.json
Various Sources
https://www.cve.org/CVERecord?id=CVE-2026-49433
Scores
CVSS v3
5.0
EPSS
0.0011
EPSS Percentile
1.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Details
CWE
CWE-352
Status
published
Published
Jun 01, 2026
Tracked Since
Jun 02, 2026