Pay SDK skips signature verification (CVE-2026-33661)

Overview

A critical security vulnerability has been identified in the Pay SDK, an open-source package used to integrate various Chinese payment services into applications. This flaw, tracked as CVE-2026-33661, allows an attacker to completely bypass the security check that validates incoming WeChat Pay notifications. This could lead to severe financial discrepancies for affected businesses.

Vulnerability Details

In versions prior to 3.7.20, the Pay SDK contains a function named verify_wechat_sign() that is responsible for verifying the digital signature on payment notifications from WeChat Pay. This RSA signature check is essential to confirm that a payment notification is genuinely from WeChat and not forged.

The vulnerability exists because this function contains a logic flaw: if the incoming HTTP request has a Host header set to localhost, the function skips the signature verification entirely. An attacker can exploit this by crafting a malicious request to an application’s WeChat Pay callback URL and simply adding Host: localhost to the request headers. This tricks the SDK into treating the request as a local, trusted one.

Potential Impact

The impact of this vulnerability is severe and direct. By bypassing signature verification, an attacker can send fake “payment successful” notifications to an online store or service using the vulnerable SDK. The application would then incorrectly mark orders as paid, potentially leading to:

• Goods or services being provided without any actual payment received.
• Significant financial loss and inventory discrepancies.
• Erosion of customer trust and operational disruption.

This type of flaw is a prime target for fraudsters, and similar payment bypass vulnerabilities have been linked to substantial losses, as seen in various breach reports.

Remediation and Mitigation

The primary and only complete remediation is to update the Pay SDK package immediately.

Action Required:

1. Update: All users must upgrade to Pay SDK version 3.7.20 or later. This version contains the fix that removes the unconditional localhost bypass.
2. Verify: After updating, confirm that your application is running the patched version. Review your deployment processes to ensure the update is applied across all environments (development, staging, production).
3. Monitor: Closely monitor payment completion logs and order fulfillment systems for any unusual activity, especially for orders marked as paid via WeChat Pay around the time of potential exploitation.

There is no effective workaround for this flaw without applying the update. Relying on network-level filtering is insufficient, as the malicious request targets the application logic itself. Staying informed about such critical patches is a cornerstone of application security, and you can follow updates on similar threats through our security news coverage.