GHSA-26V7-H57M-GH9M

Vulnerability from github – Published: 2026-07-07 13:01 – Updated: 2026-07-07 13:01
VLAI
Summary
New API is vulnerable to CSRF through user email binding
Details

Summary

The email and WeChat account binding endpoints used GET requests for state-changing account operations. In deployments where session cookies could be sent on cross-site navigations, an attacker could trigger a logged-in user's browser to bind an attacker-controlled email address or OAuth identity.

Affected endpoints included:

  • GET /api/oauth/email/bind
  • GET /api/oauth/wechat/bind

Impact

A successful attack could change account binding state. For email binding, the attacker could bind an email address they control and then attempt follow-on account recovery flows. The default session cookie configuration uses SameSite=Strict, which mitigates common cross-site navigation attacks in modern browsers, so the issue is rated Medium.

Affected versions

Versions before v0.12.0-alpha.1 are affected.

Patches

This issue is fixed in v0.12.0-alpha.1. The fix changes email and WeChat binding routes from GET to POST and reads parameters from a JSON request body instead of query parameters. The same change set also normalizes password reset responses to avoid disclosing whether an email is registered.

Workarounds

If upgrading immediately is not possible, ensure session cookies are configured with strict SameSite behavior and block GET requests to /api/oauth/email/bind and /api/oauth/wechat/bind at the reverse proxy.

Resources

  • Fixed by commit e099117c61391abdf888fb75e382a582e550bd0e.
  • Relevant code paths: router/api-router.go and controller/user.go.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/QuantumNous/new-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.0-alpha.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44342"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-07T13:01:49Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe email and WeChat account binding endpoints used GET requests for state-changing account operations. In deployments where session cookies could be sent on cross-site navigations, an attacker could trigger a logged-in user\u0027s browser to bind an attacker-controlled email address or OAuth identity.\n\nAffected endpoints included:\n\n- `GET /api/oauth/email/bind`\n- `GET /api/oauth/wechat/bind`\n\n## Impact\n\nA successful attack could change account binding state. For email binding, the attacker could bind an email address they control and then attempt follow-on account recovery flows. The default session cookie configuration uses `SameSite=Strict`, which mitigates common cross-site navigation attacks in modern browsers, so the issue is rated Medium.\n\n## Affected versions\n\nVersions before `v0.12.0-alpha.1` are affected.\n\n## Patches\n\nThis issue is fixed in `v0.12.0-alpha.1`. The fix changes email and WeChat binding routes from GET to POST and reads parameters from a JSON request body instead of query parameters. The same change set also normalizes password reset responses to avoid disclosing whether an email is registered.\n\n## Workarounds\n\nIf upgrading immediately is not possible, ensure session cookies are configured with strict SameSite behavior and block GET requests to `/api/oauth/email/bind` and `/api/oauth/wechat/bind` at the reverse proxy.\n\n## Resources\n\n- Fixed by commit `e099117c61391abdf888fb75e382a582e550bd0e`.\n- Relevant code paths: `router/api-router.go` and `controller/user.go`.",
  "id": "GHSA-26v7-h57m-gh9m",
  "modified": "2026-07-07T13:01:49Z",
  "published": "2026-07-07T13:01:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-26v7-h57m-gh9m"
    },
    {
      "type": "WEB",
      "url": "https://github.com/QuantumNous/new-api/commit/e099117c61391abdf888fb75e382a582e550bd0e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/QuantumNous/new-api"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "New API is vulnerable to CSRF through user email binding"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…