Vulnerability in New API: WeChat and Email Account Binding Flaws
CVE-2026-44342
What is CVE-2026-44342?
The New API product by QuantumNous had a serious vulnerability affecting its account binding functionality. Before version 0.12.0-alpha.1, the endpoints for binding email and WeChat accounts utilized GET requests, which are typically safe for retrieving information. However, these state-changing operations could lead to serious security risks. An attacker could exploit this misconfiguration to deceive a logged-in user’s browser into binding their account to an attacker-controlled email or OAuth identity. This vulnerability allowed unauthorized modifications to user accounts when session cookies were inadvertently transmitted during cross-site navigations. Users are urged to upgrade to version 0.12.0-alpha.1 or later to mitigate these risks.
Affected Version(s)
new-api < 0.12.0-alpha.1
