CVE-2026-33661: WeChat Pay callback signature verification bypassed when Host header is localhost

March 25, 2026

The verify_wechat_sign() function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a Host: localhost header, bypassing the RSA signature check entirely.

This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment.

References

github.com/advisories/GHSA-q938-ghwv-8gvc
github.com/yansongda/pay
github.com/yansongda/pay/commit/26987ebf789f1e7f0a85febb640986ab4289fd7f
github.com/yansongda/pay/releases/tag/v3.7.20
github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc
nvd.nist.gov/vuln/detail/CVE-2026-33661

Code Behaviors & Features

Detect and mitigate CVE-2026-33661 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →