CVE-2026-27812 – CVE-2026-27812 is a password reset poisoning vu... (How to Fix)

Q: What is the severity of CVE-2026-27812?

CVE-2026-27812 has a CVSS score of 9.1 (CRITICAL). CVE-2026-27812 is a password reset poisoning vulnerability in Sub2API versions before 0.1.85 that allows attackers to manipulate password reset links by injecting their own domain. This could lead to account takeover by tricking users into resetting passwords through attacker-controlled sites. Organizations using vulnerable Sub2API versions are affected.

📋 TL;DR

CVE-2026-27812 is a password reset poisoning vulnerability in Sub2API versions before 0.1.85 that allows attackers to manipulate password reset links by injecting their own domain. This could lead to account takeover by tricking users into resetting passwords through attacker-controlled sites. Organizations using vulnerable Sub2API versions are affected.

💻 Affected Systems

Products:

Sub2API

Versions: All versions prior to 0.1.85

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with password reset functionality enabled.

📦 What is this software?

Sub2api by Sub2api

View all CVEs affecting Sub2api →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of all Sub2API users, potentially leading to unauthorized access to AI API quotas and subscription management systems.

🟠

Likely Case

Targeted account takeover of specific users, enabling attackers to steal API quotas or manipulate subscription settings.

🟢

If Mitigated

No impact if password reset feature is disabled or proper host header validation is implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the vulnerable endpoint and ability to manipulate HTTP headers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.1.85

Vendor Advisory: https://github.com/Wei-Shaw/sub2api/security/advisories/GHSA-vc2q-289v-74g3

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Stop Sub2API service. 3. Update to v0.1.85 or later. 4. Restart Sub2API service. 5. Verify functionality.

🔧 Temporary Workarounds

Disable Password Reset

all

Temporarily disable the forgot password feature to prevent exploitation.

# Configuration setting depends on deployment method
# Check Sub2API documentation for disable_password_reset setting

🧯 If You Can't Patch

Implement WAF rules to validate and sanitize Host and Forwarded headers
Use network segmentation to restrict access to password reset endpoints

🔍 How to Verify

Check if Vulnerable:

Check Sub2API version: if version < 0.1.85 and password reset is enabled, system is vulnerable.

Check Version:

sub2api --version or check package manager/container image tag

Verify Fix Applied:

Confirm version is 0.1.85 or later and test password reset functionality with manipulated headers.

📡 Detection & Monitoring

Log Indicators:

Unusual Host header values in password reset requests
Password reset attempts with suspicious referrers

Network Indicators:

HTTP requests to password reset endpoint with manipulated headers
Outbound connections to unusual domains after password reset

SIEM Query:

source="sub2api" AND (uri_path="/password-reset" OR uri_path="/forgot-password") AND (header.host CONTAINS suspicious_domain OR header.forwarded CONTAINS suspicious_domain)

📊 Metadata

CVE ID: CVE-2026-27812

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-116

Published: February 26, 2026

Last Updated: March 5, 2026

🔗 References

https://github.com/Wei-Shaw/sub2api/security/advisories/GHSA-vc2q-289v-74g3 Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27812, you might also want to check these: