Vulnerability Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authenticated user to access video content belonging to other users and causes the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The missing authorization check is a single function call — `model.GetByOnlyTaskId(taskID)` queries by `task_id` alone with no `user_id` filter, while every other task-lookup in the codebase enforces ownership via `model.GetByTaskId(userId, taskID)`. Version 0.11.4-alpha.2 contains a patch.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Newapi | New Api | < 0.11.4 |
Related Weaknesses (CWE)
References
- https://github.com/QuantumNous/new-api/commit/50ec2bac6b341e651fc9ac4344e3bd2cdaPatch
- https://github.com/QuantumNous/new-api/security/advisories/GHSA-f35r-v9x5-r8mcExploitMitigationVendor Advisory
FAQ
What is CVE-2026-30886?
CVE-2026-30886 is a vulnerability with a CVSS score of 6.5 (MEDIUM). New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in th...
How severe is CVE-2026-30886?
CVE-2026-30886 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30886?
Check the references section above for vendor advisories and patch information. Affected products include: Newapi New Api.