CVE-2026-27812

Sub2API is an AI API gateway platform designed to distribute and manage API quotas from AI product subscriptions. A vulnerability in versions prior to 0.1.85 is a Password Reset Poisoning (Host Header / Forwarded Header trust issue), which allows attackers to manipulate the password reset link. Attackers can exploit this flaw to inject their own domain into the password reset link, leading to the potential for account takeover. The vulnerability has been fixed in version v0.1.85. If upgrading is not immediately possible, users can mitigate the vulnerability by disabling the "forgot password" feature until an upgrade to a patched version can be performed. This will prevent attackers from exploiting the vulnerability via the affected endpoint.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Wei-Shaw/sub2api/security/advisories/GHSA-vc2q-289v-74g3	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sub2api:sub2api:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-26 00:16

Updated : 2026-03-05 17:47

NVD link : CVE-2026-27812

Mitre link : CVE-2026-27812

CVE.ORG link : CVE-2026-27812

JSON object : View

Products Affected

sub2api

sub2api

CWE

CWE-116

Improper Encoding or Escaping of Output

{"id": "CVE-2026-27812", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-26T00:16:26.467", "references": [{"url": "https://github.com/Wei-Shaw/sub2api/security/advisories/GHSA-vc2q-289v-74g3", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-116"}]}], "descriptions": [{"lang": "en", "value": "Sub2API is an AI API gateway platform designed to distribute and manage API quotas from AI product subscriptions. A vulnerability in versions prior to 0.1.85 is a Password Reset Poisoning (Host Header / Forwarded Header trust issue), which allows attackers to manipulate the password reset link. Attackers can exploit this flaw to inject their own domain into the password reset link, leading to the potential for account takeover. The vulnerability has been fixed in version v0.1.85. If upgrading is not immediately possible, users can mitigate the vulnerability by disabling the \"forgot password\" feature until an upgrade to a patched version can be performed. This will prevent attackers from exploiting the vulnerability via the affected endpoint."}, {"lang": "es", "value": "Sub2API es una plataforma de pasarela de API de IA dise\u00f1ada para distribuir y gestionar cuotas de API de suscripciones de productos de IA. Una vulnerabilidad en versiones anteriores a la 0.1.85 es un Envenenamiento de Restablecimiento de Contrase\u00f1a (problema de confianza en el encabezado Host / Forwarded), que permite a los atacantes manipular el enlace de restablecimiento de contrase\u00f1a. Los atacantes pueden exploit esta falla para inyectar su propio dominio en el enlace de restablecimiento de contrase\u00f1a, lo que lleva al potencial de toma de control de la cuenta. La vulnerabilidad ha sido corregida en la versi\u00f3n v0.1.85. Si la actualizaci\u00f3n no es posible de inmediato, los usuarios pueden mitigar la vulnerabilidad deshabilitando la funci\u00f3n 'olvid\u00e9 mi contrase\u00f1a' hasta que se pueda realizar una actualizaci\u00f3n a una versi\u00f3n parcheada. Esto evitar\u00e1 que los atacantes exploten la vulnerabilidad a trav\u00e9s del endpoint afectado."}], "lastModified": "2026-03-05T17:47:02.913", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sub2api:sub2api:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AE645367-957B-439F-97E6-91C32C6D32AC", "versionEndExcluding": "0.1.85"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}