Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (GET /v1/videos/:task_id/content) allows any authenticated user to access video content belonging to other users and causes the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The missing authorization check is a single function call - model.GetByOnlyTaskId(taskID) queries by task_id alone with no user_id filter, while every other task-lookup in the codebase enforces ownership via model.GetByTaskId(userId, taskID). Version 0.11.4-alpha.2 contains a patch.
AnalysisAI
An Insecure Direct Object Reference (IDOR) vulnerability exists in New API versions prior to 0.11.4-alpha.2, a large language model gateway and AI asset management system. Authenticated users can bypass authorization checks on the video proxy endpoint (GET /v1/videos/:task_id/content) to access video content belonging to other users and cause the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The vulnerability stems from a single unguarded function call that queries tasks by task_id alone without validating user ownership, contrasting sharply with all other task-lookup functions in the codebase that properly enforce ownership checks.
Technical ContextAI
New API (cpe:2.3:a:quantumnous:new-api:*:*:*:*:*:*:*:*) is an LLM gateway and AI asset management platform that proxies requests to upstream AI providers. The vulnerability is rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), a classic authorization flaw where the application trusts client-supplied identifiers without validating ownership. The affected endpoint uses the function model.GetByOnlyTaskId(taskID) which queries the database by task_id parameter alone, whereas the security-correct pattern used elsewhere in the codebase is model.GetByTaskId(userId, taskID), which includes both the user context and task identifier. This inconsistency allows an attacker to construct requests with arbitrary task_id values, bypassing the intended multi-tenant isolation and gaining access to video content and associated provider credentials not belonging to them.
RemediationAI
Upgrade New API to version 0.11.4-alpha.2 or later immediately, which contains the authorization bypass patch. Verify the patch by checking commit 50ec2bac6b341e651fc9ac4344e3bd2cdaeafdbd in the repository (https://github.com/QuantumNous/new-api/commit/50ec2bac6b341e651fc9ac4344e3bd2cdaeafdbd). As an interim mitigation prior to patching, implement network-level access controls restricting the video proxy endpoint (GET /v1/videos/:task_id/content) to trusted clients or disable the endpoint if not in use. Additionally, audit access logs for the affected endpoint to identify any unauthorized task_id access patterns, and consider rotating AI provider credentials (Google Gemini, OpenAI API keys) if the system handles sensitive workloads. Implement application-level rate limiting and monitoring on the video proxy endpoint to detect anomalous access patterns that may indicate exploitation attempts.
Same technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14518
GHSA-f35r-v9x5-r8mc