Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.10, a SQL LIKE wildcard injection vulnerability in the `/api/token/search` endpoint allows authenticated users to cause denial of service through resource exhaustion by crafting malicious search patterns. The token search endpoint accepts user-supplied `keyword` and `token` parameters that are directly concatenated into SQL LIKE clauses without escaping wildcard characters (`%`, `_`). This allows attackers to inject patterns that trigger expensive database queries. Version 0.10.8-alpha.10 contains a patch.
Published: 2026-02-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the token search endpoint of the new-api, where user‑supplied keyword and token values are concatenated directly into a SQL LIKE clause without escaping wildcard characters. An attacker can supply patterns such as '%' or '_' that trigger extremely expensive database scans, exhausting server resources and resulting in a denial of service. This weakness, mapped to CWE‑943, leads to a loss of availability for authenticated users, and can be leveraged to disrupt service for any user who can access the search feature.

Affected Systems

QuantumNous new-api is affected, specifically all releases prior to v0.10.8‑alpha.10. Users running earlier alpha versions (0.10.8‑alpha.1 through 0.10.8‑alpha.9, and any older builds) are vulnerable. The patch included in v0.10.8‑alpha.10 addresses the unchecked wildcard usage.

Risk and Exploitability

The CVSS 3.1 score of 7.1 indicates high severity; however, the EPSS score of less than 1% suggests a very low likelihood of exploitation. The vulnerability requires prior authentication and access to the /api/token/search endpoint, so it is not exploitable by unauthenticated actors. The vulnerability does not appear in the CISA KEV catalog, further reducing its known exploitation risk. Nevertheless, the potential for resource exhaustion remains significant for environments with high search traffic or limited database resources.

Generated by OpenCVE AI on April 17, 2026 at 16:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update QuantumNous new-api to version 0.10.8‑alpha.10 or later to incorporate the patch
  • Restrict the token search endpoint to authorized users and consider implementing rate limiting or query timeout controls to mitigate denial‑of‑service conditions
  • Validate and escape any user‑supplied keyword or token parameters before they are incorporated into SQL LIKE clauses, ensuring that wildcard characters such as '%' and '_' are sanitized or prohibited

Generated by OpenCVE AI on April 17, 2026 at 16:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w6x6-9fp7-fqm4 New API has an SQL LIKE Wildcard Injection DoS via Token Search
History

Tue, 03 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Newapi
Newapi new Api
CPEs cpe:2.3:a:newapi:new_api:*:*:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha1:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha2:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha3:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha4:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha5:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha6:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha7:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha8:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha9:*:*:*:*:*:*
Vendors & Products Newapi
Newapi new Api
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Quantumnous
Quantumnous new-api
Vendors & Products Quantumnous
Quantumnous new-api

Tue, 24 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Description New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.10, a SQL LIKE wildcard injection vulnerability in the `/api/token/search` endpoint allows authenticated users to cause denial of service through resource exhaustion by crafting malicious search patterns. The token search endpoint accepts user-supplied `keyword` and `token` parameters that are directly concatenated into SQL LIKE clauses without escaping wildcard characters (`%`, `_`). This allows attackers to inject patterns that trigger expensive database queries. Version 0.10.8-alpha.10 contains a patch.
Title New API has an SQL LIKE Wildcard Injection DoS via Token Search
Weaknesses CWE-943
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Newapi New Api
Quantumnous New-api
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:57:18.199Z

Reserved: 2026-02-03T01:02:46.716Z

Link: CVE-2026-25591

cve-icon Vulnrichment

Updated: 2026-02-26T14:57:12.150Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T01:16:13.457

Modified: 2026-03-03T17:22:36.210

Link: CVE-2026-25591

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses