CVE-2026-27812 is a vulnerability classified under CWE-116 (Improper Encoding or Escaping of Output) found in Wei-Shaw's sub2api, an AI API gateway platform that manages API quotas for AI product subscriptions. The flaw exists in versions prior to 0.1.85 and manifests as a Password Reset Poisoning vulnerability caused by improper trust and validation of the Host Header or Forwarded Header during password reset link generation. Attackers can manipulate these headers to inject a malicious domain into the password reset URL sent to users. This manipulation enables attackers to redirect password reset links to attacker-controlled domains, facilitating phishing or direct account takeover by intercepting or tricking users into resetting their passwords on malicious sites. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely. The CVSS 4.0 base score is 8.0 (high), reflecting the ease of exploitation and the high impact on confidentiality and integrity of user accounts. Wei-Shaw addressed this issue in version 0.1.85 by properly validating and encoding output to prevent header injection. Until patching is possible, disabling the 'forgot password' feature is advised to block the attack vector. No public exploits have been reported yet, but the vulnerability's nature and impact warrant immediate attention from affected users.

The primary impact of CVE-2026-27812 is the potential for account takeover through manipulation of password reset links. This can lead to unauthorized access to user accounts, exposing sensitive subscription and API usage data, and potentially allowing attackers to abuse API quotas or disrupt service. For organizations relying on sub2api to manage AI product subscriptions, this could result in loss of customer trust, financial damage due to fraudulent API usage, and reputational harm. The vulnerability affects confidentiality and integrity severely, as attackers can reset passwords without user consent or authentication. Availability impact is minimal but could arise indirectly if attackers disrupt account access or service operations. Since exploitation requires no authentication or user interaction, the attack surface is broad, increasing risk across all deployments of vulnerable versions. Organizations with large user bases or critical AI service dependencies are particularly at risk.

1. Upgrade sub2api to version 0.1.85 or later immediately to apply the official fix that properly validates and encodes headers in password reset links. 2. If upgrading is not feasible immediately, disable the 'forgot password' feature to prevent attackers from exploiting the password reset endpoint. 3. Implement strict validation and sanitization of Host and Forwarded headers at the web server or application gateway level to reject suspicious or unexpected header values. 4. Monitor logs for unusual password reset requests or anomalies in header values that could indicate exploitation attempts. 5. Educate users to verify URLs in password reset emails and report suspicious links. 6. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block header injection attempts targeting password reset functionality. 7. After patching, conduct penetration testing focused on header manipulation to ensure the vulnerability is fully remediated. 8. Review and enhance overall API gateway security posture, including rate limiting and anomaly detection, to mitigate abuse of password reset and other sensitive endpoints.