DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-30886: CVE-2026-30886: Insecure Direct Object Reference in QuantumNous New API Video Proxy

#security #cve #cybersecurity

CVE-2026-30886: Insecure Direct Object Reference in QuantumNous New API Video Proxy

Vulnerability ID: CVE-2026-30886
CVSS Score: 6.5
Published: 2026-03-23

CVE-2026-30886 is an Insecure Direct Object Reference (IDOR) vulnerability in the QuantumNous new-api LLM gateway. Affecting versions prior to 0.11.4-alpha.2, the flaw allows authenticated users to access arbitrary video proxy tasks via a missing authorization check, leading to unauthorized data access and AI provider quota consumption.

TL;DR

An IDOR in QuantumNous new-api allows authenticated users to access other users' video proxy tasks, exposing private content and consuming victim AI quotas.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-639
  • Attack Vector: Network
  • CVSS Base Score: 6.5
  • Exploit Status: Proof-of-Concept
  • CISA KEV Listed: False
  • Impact: Confidentiality (High)

Affected Systems

  • QuantumNous new-api
  • new-api: < 0.11.4-alpha.2 (Fixed in: 0.11.4-alpha.2)

Code Analysis

Commit: 50ec2ba

Fix task authorization check in video proxy controller

@@ -35,7 +35,8 @@ func VideoProxy(c *gin.Context) {
        return
    }

-   task, exists, err := model.GetByOnlyTaskId(taskID)
+   userID := c.GetInt("id")
+   task, exists, err := model.GetByTaskId(userID, taskID)
    if err != nil {
        logger.LogError(c.Request.Context(), fmt.Sprintf("Failed to query task %s: %s", taskID, err.Error()))
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade to new-api version 0.11.4-alpha.2
  • Manually backport commit 50ec2bac6b341e651fc9ac4344e3bd2cdaeafdbd
  • Implement high-entropy identifiers (UUIDs) for task indexing
  • Audit codebase for other uses of model.GetByOnlyTaskId

Remediation Steps:

  1. Review current deployment version of new-api.
  2. If vulnerable, schedule a maintenance window to apply the update.
  3. Deploy the 0.11.4-alpha.2 binary or container image.
  4. Verify functionality of the /v1/videos/:task_id/content endpoint.
  5. Review access logs for signs of sequential ID polling to identify potential past exploitation.

References

Read the full report for CVE-2026-30886 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)