CVE-2026-27812
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2Description
Sub2API is an AI API gateway platform designed to distribute and manage API quotas from AI product subscriptions. A vulnerability in versions prior to 0.1.85 is a Password Reset Poisoning (Host Header / Forwarded Header trust issue), which allows attackers to manipulate the password reset link. Attackers can exploit this flaw to inject their own domain into the password reset link, leading to the potential for account takeover. The vulnerability has been fixed in version v0.1.85. If upgrading is not immediately possible, users can mitigate the vulnerability by disabling the "forgot password" feature until an upgrade to a patched version can be performed. This will prevent attackers from exploiting the vulnerability via the affected endpoint.
Analysis
Improper output encoding in Sub2API AI API gateway allows injection attacks. The platform distributes AI API quotas without properly encoding output.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Isolate Sub2API instances from external networks if possible and disable password reset functionality until patched; notify all users to change passwords via secure out-of-band channels and monitor for unauthorized account access. Within 7 days: Implement WAF rules to block suspicious Host and Forwarded headers, conduct forensic analysis of password reset logs for exploitation evidence, and establish communication with the Sub2API vendor on patch timeline. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today