Description
A security vulnerability has been detected in QuantumNous new-api up to 0.12.1. This affects the function RelayMidjourneyImage/GetByOnlyMJId of the file router/relay-router.go of the component Midjourney Image Relay Endpoint. Such manipulation leads to authorization bypass. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-23
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in QuantumNous new-api up to version 0.12.1, specifically in the RelayMidjourneyImage/GetByOnlyMJId route within the Midjourney Image Relay Endpoint. It allows an attacker to bypass authorization controls, enabling them to retrieve or manipulate images associated with Midjourney IDs without proper privileges. The flaw results in unauthorized access, potentially exposing sensitive image data and compromising data confidentiality and integrity.

Affected Systems

QuantumNous new-api software, versions up to and including 0.12.1.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation is reported as difficult and the attack requires a high level of complexity, but the exploit has been disclosed publicly and may be used remotely.

Generated by OpenCVE AI on May 23, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade QuantumNous new-api to a patched version that eliminates the authorization bypass.
  • Configure strict authentication and authorization checks on the Midjourney Image Relay Endpoint to prevent unauthenticated access.
  • Implement network segmentation or firewall rules to limit exposure of the endpoint to trusted networks.
  • Enable logging and monitoring for suspicious requests to the GetByOnlyMJId route to detect any attempted bypass.

Generated by OpenCVE AI on May 23, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in QuantumNous new-api up to 0.12.1. This affects the function RelayMidjourneyImage/GetByOnlyMJId of the file router/relay-router.go of the component Midjourney Image Relay Endpoint. Such manipulation leads to authorization bypass. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title QuantumNous new-api Midjourney Image Relay Endpoint relay-router.go GetByOnlyMJId authorization
First Time appeared Quantumnous
Quantumnous new-api
Weaknesses CWE-285
CWE-639
CPEs cpe:2.3:a:quantumnous:new-api:*:*:*:*:*:*:*:*
Vendors & Products Quantumnous
Quantumnous new-api
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Quantumnous New-api
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-23T15:00:13.553Z

Reserved: 2026-05-22T18:03:30.299Z

Link: CVE-2026-9306

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T16:30:22Z

Weaknesses