new-api CVE-2026-44342
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
AC:H reflects the SameSite=Strict default that blocks most CSRF paths; I:H because successful binding enables account takeover via follow-on recovery flows.
Primary rating from Vendor (https://github.com/QuantumNous/new-api).
CVSS VectorVendor: https://github.com/QuantumNous/new-api
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Summary
The email and WeChat account binding endpoints used GET requests for state-changing account operations. In deployments where session cookies could be sent on cross-site navigations, an attacker could trigger a logged-in user's browser to bind an attacker-controlled email address or OAuth identity.
Affected endpoints included:
GET /api/oauth/email/bindGET /api/oauth/wechat/bind
Impact
A successful attack could change account binding state. For email binding, the attacker could bind an email address they control and then attempt follow-on account recovery flows. The default session cookie configuration uses SameSite=Strict, which mitigates common cross-site navigation attacks in modern browsers, so the issue is rated Medium.
Affected versions
Versions before v0.12.0-alpha.1 are affected.
Patches
This issue is fixed in v0.12.0-alpha.1. The fix changes email and WeChat binding routes from GET to POST and reads parameters from a JSON request body instead of query parameters. The same change set also normalizes password reset responses to avoid disclosing whether an email is registered.
Workarounds
If upgrading immediately is not possible, ensure session cookies are configured with strict SameSite behavior and block GET requests to /api/oauth/email/bind and /api/oauth/wechat/bind at the reverse proxy.
Resources
- Fixed by commit
e099117c61391abdf888fb75e382a582e550bd0e. - Relevant code paths:
router/api-router.goandcontroller/user.go.
AnalysisAI
Cross-site request forgery in new-api's OAuth account binding endpoints allows an unauthenticated network attacker to silently rebind a logged-in user's email or WeChat identity to attacker-controlled credentials by luring the victim to a malicious page. Affected are all deployments running versions prior to v0.12.0-alpha.1 where the GET-based bind endpoints are reachable. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim's browser sends session cookies on cross-site GET navigations - this is prevented by the default SameSite=Strict cookie configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.3 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N) accurately reflects the exploitation difficulty. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a malicious email address with an authentication provider and crafts an HTML page containing an img tag or hidden link whose src resolves to GET /api/oauth/email/bind with the attacker's email as a parameter. When a logged-in new-api user visits this page in a browser where SameSite is not enforced as Strict, the browser silently sends the authenticated session cookie alongside the GET request, binding the attacker's email to the victim account. … |
| Remediation | The vendor-released patch is v0.12.0-alpha.1, which converts the email and WeChat binding routes from GET to POST and reads parameters from a JSON request body, eliminating the CSRF attack surface. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-26v7-h57m-gh9m