Skip to main content

new-api CVE-2026-44342

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-07 https://github.com/QuantumNous/new-api GHSA-26v7-h57m-gh9m
5.3
CVSS 3.1 · Vendor: https://github.com/QuantumNous/new-api
Share

Severity by source

Vendor (https://github.com/QuantumNous/new-api) PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
5.3 MEDIUM

AC:H reflects the SameSite=Strict default that blocks most CSRF paths; I:H because successful binding enables account takeover via follow-on recovery flows.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/QuantumNous/new-api).

CVSS VectorVendor: https://github.com/QuantumNous/new-api

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 13:41 vuln.today

DescriptionCVE.org

Summary

The email and WeChat account binding endpoints used GET requests for state-changing account operations. In deployments where session cookies could be sent on cross-site navigations, an attacker could trigger a logged-in user's browser to bind an attacker-controlled email address or OAuth identity.

Affected endpoints included:

  • GET /api/oauth/email/bind
  • GET /api/oauth/wechat/bind

Impact

A successful attack could change account binding state. For email binding, the attacker could bind an email address they control and then attempt follow-on account recovery flows. The default session cookie configuration uses SameSite=Strict, which mitigates common cross-site navigation attacks in modern browsers, so the issue is rated Medium.

Affected versions

Versions before v0.12.0-alpha.1 are affected.

Patches

This issue is fixed in v0.12.0-alpha.1. The fix changes email and WeChat binding routes from GET to POST and reads parameters from a JSON request body instead of query parameters. The same change set also normalizes password reset responses to avoid disclosing whether an email is registered.

Workarounds

If upgrading immediately is not possible, ensure session cookies are configured with strict SameSite behavior and block GET requests to /api/oauth/email/bind and /api/oauth/wechat/bind at the reverse proxy.

Resources

  • Fixed by commit e099117c61391abdf888fb75e382a582e550bd0e.
  • Relevant code paths: router/api-router.go and controller/user.go.

AnalysisAI

Cross-site request forgery in new-api's OAuth account binding endpoints allows an unauthenticated network attacker to silently rebind a logged-in user's email or WeChat identity to attacker-controlled credentials by luring the victim to a malicious page. Affected are all deployments running versions prior to v0.12.0-alpha.1 where the GET-based bind endpoints are reachable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify target's new-api session
Delivery
Host malicious page with forged GET bind URL
Exploit
Lure authenticated victim to page
Install
Browser sends session cookie with GET request
C2
Server binds attacker email to victim account
Execute
Attacker triggers password-reset to own email
Impact
Full account takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim's browser sends session cookies on cross-site GET navigations - this is prevented by the default SameSite=Strict cookie configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N) accurately reflects the exploitation difficulty. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a malicious email address with an authentication provider and crafts an HTML page containing an img tag or hidden link whose src resolves to GET /api/oauth/email/bind with the attacker's email as a parameter. When a logged-in new-api user visits this page in a browser where SameSite is not enforced as Strict, the browser silently sends the authenticated session cookie alongside the GET request, binding the attacker's email to the victim account. …
Remediation The vendor-released patch is v0.12.0-alpha.1, which converts the email and WeChat binding routes from GET to POST and reads parameters from a JSON request body, eliminating the CSRF attack surface. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44342 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy