Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authenticated user to access video content belonging to other users and causes the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The missing authorization check is a single function call — `model.GetByOnlyTaskId(taskID)` queries by `task_id` alone with no `user_id` filter, while every other task-lookup in the codebase enforces ownership via `model.GetByTaskId(userId, taskID)`. Version 0.11.4-alpha.2 contains a patch.
Published: 2026-03-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized cross‑user video access and credential leakage via missing ownership check
Action: Patch Immediately
AI Analysis

Impact

An insecure direct object reference flaw in the video proxy endpoint enables any authenticated user to retrieve video content belonging to other users and causes the server to authenticate to upstream AI providers with credentials derived from tasks the user does not own, potentially exposing privileged credentials and private media.

Affected Systems

QuantumNous new‑api, all releases prior to 0.11.4‑alpha.2. The vulnerability exists in the video proxy endpoint accessed with the path /v1/videos/:task_id/content.

Risk and Exploitability

The CVSS score is 6.5, indicating a moderate risk. The EPSS score is less than 1%, suggesting low probability of widespread exploitation, and the issue is not listed in CISA’s KEV catalog. The likely attack vector requires an authenticated session and an understanding of a target's task ID; the missing authorization check is simply a call to model.GetByOnlyTaskId(taskID) without a user‑id filter, allowing the data to be fetched without ownership verification.

Generated by OpenCVE AI on March 25, 2026 at 20:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 0.11.4‑alpha.2 patch or later to enforce ownership checks
  • Confirm that your deployment is at version 0.11.4‑alpha.2 or newer
  • Audit activity logs for unexpected access to /v1/videos/:task_id/content
  • If unable to upgrade immediately, restrict endpoint access to a whitelist of authorized users or add an additional ownership check in the request handling code

Generated by OpenCVE AI on March 25, 2026 at 20:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f35r-v9x5-r8mc New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check
History

Wed, 25 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Newapi
Newapi new Api
CPEs cpe:2.3:a:newapi:new_api:*:*:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.11.4:alpha1:*:*:*:*:*:*
Vendors & Products Newapi
Newapi new Api

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Quantumnous
Quantumnous new-api
Vendors & Products Quantumnous
Quantumnous new-api

Mon, 23 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authenticated user to access video content belonging to other users and causes the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The missing authorization check is a single function call — `model.GetByOnlyTaskId(taskID)` queries by `task_id` alone with no `user_id` filter, while every other task-lookup in the codebase enforces ownership via `model.GetByTaskId(userId, taskID)`. Version 0.11.4-alpha.2 contains a patch.
Title New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Newapi New Api
Quantumnous New-api
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T14:41:44.784Z

Reserved: 2026-03-06T00:04:56.700Z

Link: CVE-2026-30886

cve-icon Vulnrichment

Updated: 2026-03-25T14:41:37.834Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T20:16:25.963

Modified: 2026-03-25T17:53:53.027

Link: CVE-2026-30886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:51Z

Weaknesses