Description
Sub2API is an AI API gateway platform designed to distribute and manage API quotas from AI product subscriptions. A vulnerability in versions prior to 0.1.85 is a Password Reset Poisoning (Host Header / Forwarded Header trust issue), which allows attackers to manipulate the password reset link. Attackers can exploit this flaw to inject their own domain into the password reset link, leading to the potential for account takeover. The vulnerability has been fixed in version v0.1.85. If upgrading is not immediately possible, users can mitigate the vulnerability by disabling the "forgot password" feature until an upgrade to a patched version can be performed. This will prevent attackers from exploiting the vulnerability via the affected endpoint.
Published: 2026-02-26
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover
Action: Immediate Patch
AI Analysis

Impact

Sub2API, an AI API gateway, has a Host Header and Forwarded Header trust issue that enables password reset poisoning. Attackers can craft a request that injects a malicious domain into the reset link, allowing them to reset one or more user accounts. The vulnerability is classified as CWE‑116 and, if exploited, leads to unauthorized account takeover and potential compromise of all data accessed through the affected accounts.

Affected Systems

The vulnerability affects the Wei‑Shaw sub2api product in all releases before 0.1.85. Organizations running any prior version of the sub2api software should verify their install and ensure an upgrade to v0.1.85 or later.

Risk and Exploitability

The CVSS score of 8 indicates high severity. The EPSS score is below 1%, suggesting that exploitation is considered unlikely but not impossible. The flaw is not listed in CISA’s KEV catalog. An attacker can exploit the vulnerability remotely by sending a crafted HTTP request to the password‑reset endpoint, manipulating the Host or Forwarded headers. The description does not explicitly state whether prior authentication is required to exploit this flaw; based on typical password‑reset flows, it is inferred that the endpoint may be accessed without authentication, but this inference is not guaranteed. If successfully exploited, full takeover of the affected account is possible.

Generated by OpenCVE AI on April 18, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the sub2api software to version 0.1.85 or later, which contains the host‑header validation fix.
  • Disable the 'forgot password' feature entirely until a patched version is deployed, preventing attackers from reaching the vulnerable endpoint.
  • Configure the deployment or web server to reject or validate Host and Forwarded headers against a whitelist of trusted domains to mitigate similar header‑trust issues.

Generated by OpenCVE AI on April 18, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Sub2api
Sub2api sub2api
CPEs cpe:2.3:a:wei-shaw:sub2api:*:*:*:*:*:*:*:* cpe:2.3:a:sub2api:sub2api:*:*:*:*:*:*:*:*
Vendors & Products Sub2api
Sub2api sub2api

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wei-shaw:sub2api:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wei-shaw
Wei-shaw sub2api
Vendors & Products Wei-shaw
Wei-shaw sub2api

Thu, 26 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Description Sub2API is an AI API gateway platform designed to distribute and manage API quotas from AI product subscriptions. A vulnerability in versions prior to 0.1.85 is a Password Reset Poisoning (Host Header / Forwarded Header trust issue), which allows attackers to manipulate the password reset link. Attackers can exploit this flaw to inject their own domain into the password reset link, leading to the potential for account takeover. The vulnerability has been fixed in version v0.1.85. If upgrading is not immediately possible, users can mitigate the vulnerability by disabling the "forgot password" feature until an upgrade to a patched version can be performed. This will prevent attackers from exploiting the vulnerability via the affected endpoint.
Title Sub2API Vulnerable to Password Reset Poisoning via Host Header Trust Issue, Leading to Account Takeover
Weaknesses CWE-116
References
Metrics cvssV4_0

{'score': 8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Sub2api Sub2api
Wei-shaw Sub2api
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:53:58.840Z

Reserved: 2026-02-24T02:31:33.267Z

Link: CVE-2026-27812

cve-icon Vulnrichment

Updated: 2026-02-26T14:53:53.409Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T00:16:26.467

Modified: 2026-03-05T17:47:02.913

Link: CVE-2026-27812

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:45:08Z

Weaknesses