CVE-2026-44342
Undergoing Analysis Undergoing Analysis - In Progress

Email and WeChat Binding CSRF in New API

Vulnerability report for CVE-2026-44342, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to 0.12.0-alpha.1, the email and WeChat account binding endpoints GET /api/oauth/email/bind and GET /api/oauth/wechat/bind used GET requests for state-changing account operations, allowing an attacker to trigger a logged-in user's browser to bind an attacker-controlled email address or OAuth identity in deployments where session cookies could be sent on cross-site navigations. This issue is fixed in version 0.12.0-alpha.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
quantumnous new-api to 0.12.0-alpha.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the New API, a large language model gateway and AI asset management system, prior to version 0.12.0-alpha.1. The issue involves the use of GET requests for state-changing operations on email and WeChat account binding endpoints (GET /api/oauth/email/bind and GET /api/oauth/wechat/bind). Because GET requests were used, an attacker could trick a logged-in user's browser into binding an attacker-controlled email address or OAuth identity if session cookies were sent on cross-site navigations.

This means that an attacker could potentially hijack or manipulate account bindings by exploiting the way these endpoints handle requests.

Impact Analysis

The vulnerability can lead to unauthorized binding of attacker-controlled email addresses or OAuth identities to a victim's account. This could allow attackers to gain some level of control or influence over the victim's account by associating their own credentials with it.

Since the vulnerability requires the victim to be logged in and involves cross-site navigations where session cookies are sent, it could be exploited to perform account manipulation without the victim's explicit consent.

The CVSS score of 5.3 indicates a medium severity impact, with high impact on integrity but no impact on confidentiality or availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade the New API system to version 0.12.0-alpha.1 or later, where the issue has been fixed.

Compliance Impact

The vulnerability involves a Cross-Site Request Forgery (CSRF) issue that allows an attacker to bind an attacker-controlled email address or OAuth identity to a logged-in user's account. This could potentially lead to unauthorized account modifications.

However, there is no explicit information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the use of GET requests for state-changing operations on the endpoints /api/oauth/email/bind and /api/oauth/wechat/bind in versions prior to 0.12.0-alpha.1. To detect if your system is vulnerable, you can monitor network traffic or logs for GET requests to these endpoints that include query parameters related to email or OAuth binding.

One approach is to use network traffic inspection tools like tcpdump or Wireshark to capture HTTP GET requests to these endpoints.

  • Using tcpdump to capture GET requests to the vulnerable endpoints: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep 'GET /api/oauth/email/bind'
  • Similarly, for WeChat binding endpoint: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep 'GET /api/oauth/wechat/bind'

Alternatively, if you have access to web server logs, you can search for GET requests to these endpoints with query parameters indicating binding attempts.

  • Example command to search logs: grep 'GET /api/oauth/email/bind' /var/log/nginx/access.log
  • grep 'GET /api/oauth/wechat/bind' /var/log/nginx/access.log

Blocking or alerting on such GET requests to these endpoints can help detect exploitation attempts or presence of the vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44342. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart