DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-9306: CVE-2026-9306: Unauthenticated Insecure Direct Object Reference (IDOR) in QuantumNous new-api Midjourney Relay

#security #cve #cybersecurity

CVE-2026-9306: Unauthenticated Insecure Direct Object Reference (IDOR) in QuantumNous new-api Midjourney Relay

Vulnerability ID: CVE-2026-9306
CVSS Score: 6.3
Published: 2026-05-23

CVE-2026-9306 is a critical unauthenticated Insecure Direct Object Reference (IDOR) vulnerability located in the QuantumNous new-api application, affecting versions up to and including 0.12.1. The flaw is caused by improper middleware ordering combined with a lack of object-level authorization checks. This allows remote, unauthenticated attackers to retrieve sensitive Midjourney images belonging to other users by supplying a valid task identifier.

TL;DR

An architectural flaw in QuantumNous new-api <= 0.12.1 allows unauthenticated attackers to bypass authorization and extract user-generated Midjourney images via the /mj/image/:id endpoint using a valid task ID.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • CWE ID: CWE-639
  • Attack Vector: Network
  • CVSS 4.0: 6.3
  • Authentication: None Required
  • Impact: Data Exfiltration (Low Confidentiality)
  • Exploit Status: Weaponized PoC Available
  • KEV Status: Not Listed

Affected Systems

  • QuantumNous new-api
  • new-api: <= 0.12.1

Exploit Details

Mitigation Strategies

  • Manual code modification to fix middleware ordering
  • Manual code modification to enforce user scoping in database queries
  • Deployment of Web Application Firewall (WAF) rules to enforce authentication headers

Remediation Steps:

  1. Open router/relay-router.go in the repository source.
  2. Locate the line relayMjRouter.GET("/image/:id", relay.RelayMidjourneyImage).
  3. Move this line below the relayMjRouter.Use(middleware.TokenAuth(), middleware.Distribute()) declaration.
  4. Open relay/mjproxy_handler.go and locate the data retrieval call.
  5. Modify the call from model.GetByOnlyMJId(taskId) to model.GetByMJId(userId, taskId), ensuring the userId is extracted from the authenticated Gin context.
  6. Recompile the application and restart the service.

References

Read the full report for CVE-2026-9306 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)