Skip to main content

one-api CVE-2026-11465

| EUVD-2026-34996 LOW
Business Logic Errors (CWE-840)
2026-06-07 VulDB GHSA-7v3v-cp44-vc8m
Information Disclosure One Api
1.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 07, 2026 - 23:29 vuln.today
Analysis Generated
Jun 07, 2026 - 23:29 vuln.today
CVSS changed
Jun 07, 2026 - 23:22 NVD
3.1 (LOW) 1.3 (LOW)

DescriptionCVE.org

A security flaw has been discovered in songquanpeng one-api up to 0.6.11-preview.7. Affected by this issue is the function Redeem of the file model/redemption.go of the component Redemption Code Top-Up Endpoint. The manipulation results in business logic errors. The attack may be launched remotely. The attack requires a high level of complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.

AnalysisAI

Race condition in songquanpeng one-api's redemption code feature allows authenticated users to redeem a single-use code multiple times by sending concurrent requests before the transaction completes. The root cause is confirmed by PR diff: the codebase uses deprecated GORM v1 syntax (tx.Set("gorm:query_option", "FOR UPDATE")) that does not reliably apply a database row lock in GORM v2, leaving the transaction window unprotected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate with low-privilege account
Delivery
Acquire valid unused redemption code
Exploit
Send multiple concurrent POST requests to redemption endpoint
Install
Missing FOR UPDATE lock allows parallel transaction reads
C2
Each transaction sees code as unredeemed
Execute
Multiple redemptions succeed
Impact
Attacker accumulates unauthorized quota credits
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated user session (PR:L in CVSS vector - unauthenticated exploitation is not possible). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 scores this at 1.3, reflecting realistic low severity: AV:N (network-reachable) is offset by AC:H (high complexity due to race condition timing) and PR:L (requires an authenticated session). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with any valid account and a single legitimate redemption code opens multiple HTTP client threads and fires them simultaneously at the redemption endpoint with the same code. Because the database `FOR UPDATE` row lock is silently not applied due to the deprecated GORM syntax, all concurrent transactions read the code as valid before any transaction marks it consumed, allowing each concurrent request to succeed and credit the attacker's quota multiple times. …
Remediation Upstream fix available via pull request #2399 (https://github.com/songquanpeng/one-api/pull/2399); this PR awaits acceptance and a released patched version has not been independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11465 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy