PT-2026-56214 · Go+1 · Github.Com/Quantumnous/New-Api+1

Published

2026-07-07

·

Updated

2026-07-09

·

CVE-2026-44342

CVSS v3.1

5.3

Medium

VectorAV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions New API versions prior to 0.12.0-alpha.1
Description The email and WeChat account binding endpoints use GET requests for state-changing account operations. In deployments where session cookies are sent on cross-site navigations, an attacker can trigger a logged-in user's browser to bind an attacker-controlled email address or OAuth identity. This could allow the attacker to initiate account recovery flows. The affected endpoints are 'GET /api/oauth/email/bind' and 'GET /api/oauth/wechat/bind'.
Recommendations Update to version 0.12.0-alpha.1. Ensure session cookies are configured with strict SameSite behavior. Block GET requests to 'GET /api/oauth/email/bind' and 'GET /api/oauth/wechat/bind' at the reverse proxy.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44342
GHSA-26V7-H57M-GH9M

Affected Products

Github.Com/Quantumnous/New-Api
New Api