Summaryinfo

A vulnerability was found in QuantumNous new-api. It has been rated as problematic. This vulnerability affects the function model.GetByOnlyTaskId of the file /v1/videos/ of the component Video Proxy Endpoint. This manipulation of the argument task_id causes authorization. This vulnerability is tracked as CVE-2026-30886. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.

Detailsinfo

A vulnerability has been found in QuantumNous new-api and classified as problematic. Affected by this vulnerability is the function model.GetByOnlyTaskId of the file /v1/videos/ of the component Video Proxy Endpoint. The manipulation of the argument task_id with an unknown input leads to a authorization vulnerability. The CWE definition for the vulnerability is CWE-639. The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. As an impact it is known to affect confidentiality. The summary by CVE is:

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authenticated user to access video content belonging to other users and causes the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The missing authorization check is a single function call — `model.GetByOnlyTaskId(taskID)` queries by `task_id` alone with no `user_id` filter, while every other task-lookup in the codebase enforces ownership via `model.GetByTaskId(userId, taskID)`. Version 0.11.4-alpha.2 contains a patch.

The advisory is shared at github.com. This vulnerability is known as CVE-2026-30886 since 03/06/2026. The exploitation appears to be easy. The attack can be launched remotely. Technical details are known, but no exploit is available.

Upgrading to version 0.11.4-alpha.2 eliminates this vulnerability. Applying the patch 50ec2bac6b341e651fc9ac4344e3bd2cdaeafdbd is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Automation Software

Vendor

• QuantumNous

Name

• new-api

Version

• 0.8.5.2
• 0.9.0.5
• 0.9.6
• 0.10.8-alpha.9
• 0.10.8-alpha.10

License

• open-source

Website

• Product: https://github.com/QuantumNous/new-api/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion