CVE-2026-30886
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (GET /v1/videos/:task_id/content) allows any authenticated user to access video content belonging to other users and causes the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The missing authorization check is a single function call — model.GetByOnlyTaskId(taskID) queries by task_id alone with no user_id filter, while every other task-lookup in the codebase enforces ownership via model.GetByTaskId(userId, taskID). Version 0.11.4-alpha.2 contains a patch.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| QuantumNous | new-api | < 0.11.4-alpha.2 | affected |
Weaknesses
- CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://github.com/QuantumNous/new-api/security/advisories/GHSA-f35r-v9x5-r8mc
- https://github.com/QuantumNous/new-api/commit/50ec2bac6b341e651fc9ac4344e3bd2cdaeafdbd
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.