LOW 3.1

CVE-2026-11465: Business Logic Flaw in songquanpeng one-api Redemption Endpoint

A logic flaw exists in songquanpeng one-api versions up to 0.6.11-preview.7 that affects the redemption code top-up functionality. An authenticated attacker with specific knowledge of the system could bypass or manipulate the business logic governing how redemption codes are processed, potentially allowing unauthorized credit issuance or redemption manipulation. The attack is complex to execute and requires an active user account, making widespread exploitation unlikely in typical deployments.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-840
Affected products
0 configuration(s)
Published / Modified
2026-06-07 / 2026-06-17

NVD description (verbatim)

A security flaw has been discovered in songquanpeng one-api up to 0.6.11-preview.7. Affected by this issue is the function Redeem of the file model/redemption.go of the component Redemption Code Top-Up Endpoint. The manipulation results in business logic errors. The attack may be launched remotely. The attack requires a high level of complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11465 is a business logic vulnerability in the Redeem function within model/redemption.go of songquanpeng one-api. The flaw stems from improper validation or state management in the redemption code processing endpoint, allowing authenticated users to circumvent intended controls. The vulnerability is classified under CWE-840 (Use of Inadequately Validated Data) and carries a CVSS 3.1 score of 3.1 (Low severity) with a vector reflecting network-based attack, high complexity requirements, low privilege threshold, and limited integrity impact.

Business impact

The primary business risk centers on revenue leakage through unauthorized or duplicate redemptions. If an attacker can manipulate the redemption logic, they may issue credits to accounts without proper monetary exchange or redeem codes multiple times. For SaaS platforms offering token-based pricing models—common in API services—this could directly undermine billing integrity. The impact is contained to the redemption subsystem and does not affect confidentiality or system availability, limiting scope to financial and audit controls.

Affected systems

The vulnerability affects songquanpeng one-api up to and including version 0.6.11-preview.7. This is a preview release, suggesting the software may be deployed in development or early-stage production environments. Exposure is limited to users operating affected versions of one-api and depends on whether the Redemption Code Top-Up feature is actively used in their deployment model.

Exploitability

Exploitation requires high technical complexity and an authenticated account on the target instance. The attacker must understand the redemption workflow and crafted-request logic in sufficient detail to manipulate the endpoint behavior. While a public exploit has been disclosed, the barrier to practical exploitation remains moderately high. Successful attacks are limited to authenticated users, eliminating external anonymous attack scenarios. The difficulty of exploitation provides a narrow window before patch adoption can mitigate risk.

Remediation

Upgrade songquanpeng one-api to a patched version beyond 0.6.11-preview.7. A pull request addressing this issue is pending acceptance into the upstream repository. Teams should monitor the official repository for release announcements and apply updates promptly. Until a stable patch is available, consider temporarily disabling the Redemption Code Top-Up feature if the deployment does not depend on it, or implement application-level access controls restricting redemption operations to trusted administrators.

Patch guidance

Check the songquanpeng one-api GitHub repository for merged or tagged releases that supersede version 0.6.11-preview.7. The vendor has indicated a pull request exists to remediate this issue. Once merged and released, apply the patched version in a non-production environment first to validate compatibility with your configuration and integrations. Given that 0.6.11-preview.7 is a preview build, prioritize upgrading to a stable release train if available. Document your patch validation and deployment timeline to demonstrate timely remediation.

Detection guidance

Monitor redemption endpoint logs for anomalous patterns such as multiple redemptions from the same code within short time intervals, redemption requests with unusual parameter combinations, or redemptions originating from unexpected user accounts or IP ranges. Audit redemption transaction records against actual payment deposits to identify discrepancies. Enable detailed logging on the redemption.go module if your deployment supports debug-level instrumentation. Search for unauthorized or duplicate credit issuance in your billing records, particularly for high-value redemptions that lack corresponding revenue events.

Why prioritize this

This vulnerability warrants moderate-priority remediation despite its low CVSS score. Although technical exploitation is difficult and requires authentication, the financial impact of successful attacks directly affects billing integrity and revenue recognition. Customers using redemption codes as a monetization mechanism should prioritize patching above vulnerabilities affecting less critical subsystems. The public disclosure of an exploit and pending vendor patch create urgency to close the exposure before attackers refine exploitation techniques. Organizations not using the redemption feature can deprioritize relative to other urgent patches.

Risk score, explained

The CVSS 3.1 score of 3.1 (Low) reflects the high complexity of exploitation, authentication requirement, and limited scope of impact. However, the financial nature of the affected component elevates business risk above the numerical score. The vulnerability does not threaten data confidentiality, system availability, or authentication mechanisms—only the integrity of redemption transactions. For organizations where redemption represents a significant revenue channel, functional risk is higher than the base score suggests.

Frequently asked questions

Do I need to immediately patch if my one-api deployment does not use redemption codes?

No. If the Redemption Code Top-Up feature is not enabled or used in your deployment, this vulnerability poses minimal practical risk. However, you should still plan to patch during your next scheduled update cycle, as preview versions are not recommended for long-term production use regardless of individual CVE status.

Can an unauthenticated attacker exploit this vulnerability?

No. The vulnerability requires a valid user account on the one-api instance. An attacker without authentication credentials cannot trigger the flaw. This significantly limits the threat surface and makes mass exploitation infeasible.

What should I monitor to detect if this vulnerability has been exploited?

Focus on redemption transaction audits: look for duplicate or repeated redemptions of the same code, unusual redemption volumes, or redemptions that lack corresponding revenue inflow. Cross-check credit issuance logs with actual payment records. If available, enable verbose logging on the redemption endpoint and review for unexpected function behavior or failed validation checks.

Is there a workaround if I cannot patch immediately?

As a temporary measure, you can restrict access to the redemption endpoint to a whitelist of trusted administrator accounts or IP ranges at the network or application level. Consider disabling the feature entirely if it is not actively used. These are interim mitigations only—prioritize applying the vendor patch once available.

This analysis is provided for informational purposes to assist security teams in vulnerability assessment and remediation prioritization. The information herein is derived from publicly disclosed CVE data and vendor advisories as of the publication date. No warranty is made regarding the completeness or accuracy of vendor patch details; teams must verify patch version numbers and availability through official vendor repositories before deployment. SEC.co does not conduct independent exploit verification or penetration testing of the affected software. Readers bear responsibility for validating applicability to their own environments and conducting thorough testing before applying patches to production systems. This content does not constitute legal advice or constitute a recommendation to take or refrain from any specific action. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).