CVE-2026-27812

Sub2API is an AI API gateway platform designed to distribute and manage API quotas from AI product subscriptions. A vulnerability in versions prior to 0.1.85 is a Password Reset Poisoning (Host Header / Forwarded Header trust issue), which allows attackers to manipulate the password reset link. Attackers can exploit this flaw to inject their own domain into the password reset link, leading to the potential for account takeover. The vulnerability has been fixed in version v0.1.85. If upgrading is not immediately possible, users can mitigate the vulnerability by disabling the "forgot password" feature until an upgrade to a patched version can be performed. This will prevent attackers from exploiting the vulnerability via the affected endpoint.

CVSS

No CVSS.

References

Link	Resource
https://github.com/Wei-Shaw/sub2api/security/advisories/GHSA-vc2q-289v-74g3

Configurations

No configuration.

History

27 Feb 2026, 14:06

Type	Values Removed	Values Added
Summary		(es) Sub2API es una plataforma de pasarela de API de IA diseñada para distribuir y gestionar cuotas de API de suscripciones de productos de IA. Una vulnerabilidad en versiones anteriores a la 0.1.85 es un Envenenamiento de Restablecimiento de Contraseña (problema de confianza en el encabezado Host / Forwarded), que permite a los atacantes manipular el enlace de restablecimiento de contraseña. Los atacantes pueden exploit esta falla para inyectar su propio dominio en el enlace de restablecimiento de contraseña, lo que lleva al potencial de toma de control de la cuenta. La vulnerabilidad ha sido corregida en la versión v0.1.85. Si la actualización no es posible de inmediato, los usuarios pueden mitigar la vulnerabilidad deshabilitando la función 'olvidé mi contraseña' hasta que se pueda realizar una actualización a una versión parcheada. Esto evitará que los atacantes exploten la vulnerabilidad a través del endpoint afectado.

26 Feb 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-26 00:16

Updated : 2026-02-27 14:06

NVD link : CVE-2026-27812

Mitre link : CVE-2026-27812

CVE.ORG link : CVE-2026-27812

JSON object : View

Products Affected

No product.

CWE

CWE-116

Improper Encoding or Escaping of Output

{"id": "CVE-2026-27812", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-26T00:16:26.467", "references": [{"url": "https://github.com/Wei-Shaw/sub2api/security/advisories/GHSA-vc2q-289v-74g3", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-116"}]}], "descriptions": [{"lang": "en", "value": "Sub2API is an AI API gateway platform designed to distribute and manage API quotas from AI product subscriptions. A vulnerability in versions prior to 0.1.85 is a Password Reset Poisoning (Host Header / Forwarded Header trust issue), which allows attackers to manipulate the password reset link. Attackers can exploit this flaw to inject their own domain into the password reset link, leading to the potential for account takeover. The vulnerability has been fixed in version v0.1.85. If upgrading is not immediately possible, users can mitigate the vulnerability by disabling the \"forgot password\" feature until an upgrade to a patched version can be performed. This will prevent attackers from exploiting the vulnerability via the affected endpoint."}, {"lang": "es", "value": "Sub2API es una plataforma de pasarela de API de IA dise\u00f1ada para distribuir y gestionar cuotas de API de suscripciones de productos de IA. Una vulnerabilidad en versiones anteriores a la 0.1.85 es un Envenenamiento de Restablecimiento de Contrase\u00f1a (problema de confianza en el encabezado Host / Forwarded), que permite a los atacantes manipular el enlace de restablecimiento de contrase\u00f1a. Los atacantes pueden exploit esta falla para inyectar su propio dominio en el enlace de restablecimiento de contrase\u00f1a, lo que lleva al potencial de toma de control de la cuenta. La vulnerabilidad ha sido corregida en la versi\u00f3n v0.1.85. Si la actualizaci\u00f3n no es posible de inmediato, los usuarios pueden mitigar la vulnerabilidad deshabilitando la funci\u00f3n 'olvid\u00e9 mi contrase\u00f1a' hasta que se pueda realizar una actualizaci\u00f3n a una versi\u00f3n parcheada. Esto evitar\u00e1 que los atacantes exploten la vulnerabilidad a trav\u00e9s del endpoint afectado."}], "lastModified": "2026-02-27T14:06:59.787", "sourceIdentifier": "security-advisories@github.com"}