Vulnerability in New API: WeChat and Email Account Binding Flaws
CVE-2026-44342

5.3MEDIUM

Key Information:

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-44342?

The New API product by QuantumNous had a serious vulnerability affecting its account binding functionality. Before version 0.12.0-alpha.1, the endpoints for binding email and WeChat accounts utilized GET requests, which are typically safe for retrieving information. However, these state-changing operations could lead to serious security risks. An attacker could exploit this misconfiguration to deceive a logged-in user’s browser into binding their account to an attacker-controlled email or OAuth identity. This vulnerability allowed unauthorized modifications to user accounts when session cookies were inadvertently transmitted during cross-site navigations. Users are urged to upgrade to version 0.12.0-alpha.1 or later to mitigate these risks.

Affected Version(s)

new-api < 0.12.0-alpha.1

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.