CVE-2026-44342: CWE-352: Cross-Site Request Forgery (CSRF) in QuantumNous new-api
QuantumNous new-api versions prior to 0.12.0-alpha.1 contain a Cross-Site Request Forgery (CSRF) vulnerability in the email and WeChat account binding endpoints. These endpoints used GET requests for state-changing operations, allowing attackers to potentially bind an attacker-controlled email or OAuth identity to a logged-in user's account if session cookies were sent on cross-site navigations. This issue is fixed in version 0.12.0-alpha.1.
AI Analysis
Technical Summary
The QuantumNous new-api product had a CSRF vulnerability (CWE-352) in its email and WeChat account binding endpoints (GET /api/oauth/email/bind and GET /api/oauth/wechat/bind) prior to version 0.12.0-alpha.1. These endpoints used GET requests for operations that change user account state, which is insecure because GET requests can be triggered cross-site without user intent. An attacker could exploit this by causing a logged-in user's browser to perform these GET requests, binding attacker-controlled credentials to the victim's account if session cookies were sent on cross-site navigations. The vulnerability was addressed and fixed in version 0.12.0-alpha.1.
Potential Impact
Successful exploitation allows an attacker to bind their own email address or OAuth identity to a victim's account without their consent, potentially leading to account takeover or unauthorized access scenarios. The vulnerability does not impact confidentiality or availability but impacts integrity of user account bindings. The CVSS score is 5.3 (medium severity), reflecting the need for user interaction and high attack complexity.
Mitigation Recommendations
Upgrade QuantumNous new-api to version 0.12.0-alpha.1 or later, where this CSRF vulnerability is fixed by disallowing state-changing operations via GET requests. No other mitigation details are provided. Patch status is confirmed fixed in 0.12.0-alpha.1.
CVE-2026-44342: CWE-352: Cross-Site Request Forgery (CSRF) in QuantumNous new-api
Description
QuantumNous new-api versions prior to 0.12.0-alpha.1 contain a Cross-Site Request Forgery (CSRF) vulnerability in the email and WeChat account binding endpoints. These endpoints used GET requests for state-changing operations, allowing attackers to potentially bind an attacker-controlled email or OAuth identity to a logged-in user's account if session cookies were sent on cross-site navigations. This issue is fixed in version 0.12.0-alpha.1.
CVSS v3.1
Score 5.3medium
Affected software
pkg:github/quantumnous/new-apiRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The QuantumNous new-api product had a CSRF vulnerability (CWE-352) in its email and WeChat account binding endpoints (GET /api/oauth/email/bind and GET /api/oauth/wechat/bind) prior to version 0.12.0-alpha.1. These endpoints used GET requests for operations that change user account state, which is insecure because GET requests can be triggered cross-site without user intent. An attacker could exploit this by causing a logged-in user's browser to perform these GET requests, binding attacker-controlled credentials to the victim's account if session cookies were sent on cross-site navigations. The vulnerability was addressed and fixed in version 0.12.0-alpha.1.
Potential Impact
Successful exploitation allows an attacker to bind their own email address or OAuth identity to a victim's account without their consent, potentially leading to account takeover or unauthorized access scenarios. The vulnerability does not impact confidentiality or availability but impacts integrity of user account bindings. The CVSS score is 5.3 (medium severity), reflecting the need for user interaction and high attack complexity.
Mitigation Recommendations
Upgrade QuantumNous new-api to version 0.12.0-alpha.1 or later, where this CSRF vulnerability is fixed by disallowing state-changing operations via GET requests. No other mitigation details are provided. Patch status is confirmed fixed in 0.12.0-alpha.1.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T19:52:59.147Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a50252a68715ace43310cd0
Added to database: 07/09/2026, 22:48:10 UTC
Last enriched: 07/09/2026, 23:03:10 UTC
Last updated: 07/09/2026, 23:57:53 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.