Threat Advisory

New API Lets Attackers Bind User Email Through CSRF

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Medium
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A Medium severity vulnerability affecting github.com/QuantumNous/new-api versions Versions before `v0,

CVE-2026-44342 with a CVSS score of 5.3, affects the new API's email and WeChat account binding endpoints. These endpoints use GET requests for state-changing account operations, which can be exploited by attackers to bind user email through CSRF in deployments where session cookies can be sent on cross-site navigations. The default session cookie configuration uses SameSite=Strict, mitigating common cross-site navigation attacks in modern browsers. Versions before v0.12.0-alpha.1 are affected, and the issue is rated Medium due to its impact on account binding state, enabling an attacker to bind an email address they control and then attempt follow-on account recovery flows.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A Medium severity vulnerability affecting github.com/QuantumNous/new-api versions Versions before `v0,

CVE-2026-44342 with a CVSS score of 5.3, affects the new API's email and WeChat account binding endpoints. These endpoints use GET requests for state-changing account operations, which can be exploited by attackers to bind user email through CSRF in deployments where session cookies can be sent on cross-site navigations. The default session cookie configuration uses SameSite=Strict, mitigating common cross-site navigation attacks in modern browsers. Versions before v0.12.0-alpha.1 are affected, and the issue is rated Medium due to its impact on account binding state, enabling an attacker to bind an email address they control and then attempt follow-on account recovery flows.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update github.com/QuantumNous/new-api to version 0.12.0-alpha.1.

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu