CVE-2026-33661: CWE-290: Authentication Bypass by Spoofing in yansongda pay
CVE-2026-33661 is an authentication bypass vulnerability in the yansongda pay SDK prior to version 3. 7. 20. The vulnerability arises because the verify_wechat_sign() function skips signature verification if the HTTP request's Host header is set to 'localhost'. This allows an attacker to forge WeChat Pay payment success notifications by sending a crafted request with a 'Host: localhost' header, causing applications to incorrectly mark orders as paid. The issue is fixed in version 3. 7. 20.
AI Analysis
Technical Summary
The yansongda pay SDK, an open-source payment extension for Chinese payment services, contains a critical authentication bypass vulnerability (CWE-290) in versions before 3.7.20. Specifically, the verify_wechat_sign() function in src/Functions.php disables RSA signature verification when the PSR-7 request's Host header equals 'localhost'. An attacker exploiting this flaw can send a malicious HTTP request to the WeChat Pay callback endpoint with a spoofed Host header, bypassing signature checks and forging payment success notifications. This can lead to applications accepting fake payments. The vulnerability has a CVSS 3.1 score of 8.6 (high severity) and was fixed in version 3.7.20.
Potential Impact
Exploitation of this vulnerability allows an unauthenticated attacker to bypass RSA signature verification for WeChat Pay callbacks by spoofing the Host header as 'localhost'. This results in the ability to forge fake payment success notifications, potentially causing affected applications to mark orders as paid without actual payment. The impact is high on integrity, but does not affect confidentiality or availability.
Mitigation Recommendations
Upgrade yansongda pay to version 3.7.20 or later, where the verify_wechat_sign() function properly enforces signature verification regardless of the Host header. No other mitigations are indicated by the vendor advisory. Patch status is confirmed fixed in version 3.7.20.
CVE-2026-33661: CWE-290: Authentication Bypass by Spoofing in yansongda pay
Description
CVE-2026-33661 is an authentication bypass vulnerability in the yansongda pay SDK prior to version 3. 7. 20. The vulnerability arises because the verify_wechat_sign() function skips signature verification if the HTTP request's Host header is set to 'localhost'. This allows an attacker to forge WeChat Pay payment success notifications by sending a crafted request with a 'Host: localhost' header, causing applications to incorrectly mark orders as paid. The issue is fixed in version 3. 7. 20.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The yansongda pay SDK, an open-source payment extension for Chinese payment services, contains a critical authentication bypass vulnerability (CWE-290) in versions before 3.7.20. Specifically, the verify_wechat_sign() function in src/Functions.php disables RSA signature verification when the PSR-7 request's Host header equals 'localhost'. An attacker exploiting this flaw can send a malicious HTTP request to the WeChat Pay callback endpoint with a spoofed Host header, bypassing signature checks and forging payment success notifications. This can lead to applications accepting fake payments. The vulnerability has a CVSS 3.1 score of 8.6 (high severity) and was fixed in version 3.7.20.
Potential Impact
Exploitation of this vulnerability allows an unauthenticated attacker to bypass RSA signature verification for WeChat Pay callbacks by spoofing the Host header as 'localhost'. This results in the ability to forge fake payment success notifications, potentially causing affected applications to mark orders as paid without actual payment. The impact is high on integrity, but does not affect confidentiality or availability.
Mitigation Recommendations
Upgrade yansongda pay to version 3.7.20 or later, where the verify_wechat_sign() function properly enforces signature verification regardless of the Host header. No other mitigations are indicated by the vendor advisory. Patch status is confirmed fixed in version 3.7.20.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T15:23:42.219Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c5a54b3c064ed76fcfc828
Added to database: 3/26/2026, 9:29:47 PM
Last enriched: 4/3/2026, 1:31:39 PM
Last updated: 5/11/2026, 6:12:27 AM
Views: 70
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.