CVE-2026-27812 is a vulnerability classified under CWE-116 (Improper Encoding or Escaping of Output) affecting the sub2api platform by Wei-Shaw, an AI API gateway used to manage API quotas for AI product subscriptions. The flaw exists in versions prior to 0.1.85 and stems from the platform's handling of password reset requests. Specifically, the system improperly trusts and processes Host Header or Forwarded Header values when generating password reset links. This allows an attacker to manipulate these headers to inject an arbitrary domain into the reset URL. Consequently, victims may receive password reset emails containing attacker-controlled links, which can be used to hijack accounts by redirecting users to malicious sites or intercepting reset tokens. The vulnerability requires no authentication or user interaction to exploit, increasing its risk. The CVSS 4.0 score is 8.0 (high severity), reflecting the network attack vector, low complexity, no privileges or user interaction needed, and high impact on confidentiality and integrity. Wei-Shaw has addressed the issue in version 0.1.85. Until patching, disabling the 'forgot password' feature is advised to prevent exploitation. No public exploits have been reported yet, but the vulnerability poses a significant risk to organizations using sub2api for managing AI service subscriptions.

The primary impact of CVE-2026-27812 is the potential for account takeover through manipulation of password reset links. This compromises the confidentiality and integrity of user accounts on the sub2api platform. Organizations relying on sub2api to manage AI API quotas may face unauthorized access to sensitive subscription data, quota controls, and potentially linked AI services. Attackers could leverage compromised accounts to disrupt service usage, steal subscription benefits, or escalate privileges if linked to broader internal systems. The vulnerability's ease of exploitation without authentication or user interaction increases the likelihood of automated or large-scale attacks. This could lead to reputational damage, financial loss due to subscription misuse, and operational disruption for businesses dependent on AI APIs. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a critical risk until patched.

To mitigate CVE-2026-27812, organizations should prioritize upgrading sub2api to version 0.1.85 or later, where the vulnerability is fixed. If immediate upgrading is not feasible, the 'forgot password' feature should be disabled to block the attack vector. Additionally, organizations should implement strict validation and sanitization of Host and Forwarded headers at the web server or application gateway level to prevent header injection attacks. Monitoring password reset request logs for unusual patterns or spikes can help detect exploitation attempts. Employing multi-factor authentication (MFA) on user accounts can reduce the impact of compromised credentials. Security teams should also review email templates and reset link generation logic to ensure no external input is trusted without proper encoding or escaping. Finally, educating users about phishing risks related to password reset emails can help mitigate social engineering attempts leveraging this vulnerability.