Skip to main content

QuantumNous new-api CVE-2026-9305

| EUVDEUVD-2026-31541 LOW
SQL Injection (CWE-89)
2026-05-23 VulDB GHSA-hqv7-8cjm-q98x
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
May 26, 2026 - 19:52 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 19:52 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 23, 2026 - 15:15 vuln.today

DescriptionCVE.org

A weakness has been identified in QuantumNous new-api up to 0.12.1. The impacted element is the function SearchUserTopUps/SearchAllTopUps of the file model/topup.go of the component self Endpoint. This manipulation causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in QuantumNous new-api versions up to 0.12.1 allows authenticated remote attackers to manipulate database queries through the SearchUserTopUps and SearchAllTopUps functions in the self endpoint. The vulnerability exists in model/topup.go with confirmed public exploit code available on GitHub. With EPSS data unavailable and CVSS 6.3 (medium severity), the primary risk stems from the low-complexity exploitation requiring only low-level authentication, enabling attackers to exfiltrate sensitive data, modify records, or potentially execute denial-of-service attacks against the database layer.

Technical ContextAI

This is a classic SQL injection vulnerability (CWE-89) in the QuantumNous new-api Go application, specifically affecting the topup model's search functions. The vulnerability resides in model/topup.go where the SearchUserTopUps and SearchAllTopUps functions process user input without proper sanitization or parameterized queries. As a Go-based API service (cpe:2.3:a:quantumnous:new-api), the application likely uses direct SQL string concatenation or unsafe query building methods when searching topup records through the self endpoint. SQL injection occurs when attacker-controlled input is directly embedded into SQL statements, allowing malicious actors to break out of the intended query context and inject arbitrary SQL commands. The network-accessible (AV:N) self endpoint accepts authenticated requests (PR:L) that can deliver crafted payloads to these vulnerable search functions, manipulating the underlying database queries without requiring complex attack techniques (AC:L).

RemediationAI

No vendor-released patch has been identified at time of analysis, as the vendor did not respond to early disclosure attempts per the CVE description and no fix version is documented in available intelligence sources. Organizations should implement immediate compensating controls: First, restrict network access to the self endpoint containing SearchUserTopUps and SearchAllTopUps functions using firewall rules or reverse proxy ACLs to trusted IP ranges only, understanding this limits legitimate remote access. Second, implement Web Application Firewall (WAF) rules targeting SQL injection patterns in requests to /topup or /self endpoints, with careful tuning to avoid false positives on legitimate search queries. Third, enforce principle of least privilege by reviewing user authentication tokens and restricting low-privilege accounts from accessing topup search functionality if business logic permits, though this may impact user experience. Fourth, enable comprehensive SQL query logging and monitoring to detect exploitation attempts showing UNION, SELECT, OR 1=1, or other SQLi indicators in search parameters. Consider engaging application security consultants to develop and apply a source code patch for model/topup.go implementing parameterized queries or ORM-based database access. Monitor the project repository and VulDB advisories (https://vuldb.com/vuln/365252/cti) for vendor updates, though continued vendor silence suggests evaluating alternative API gateway solutions for long-term risk management.

Share

CVE-2026-9305 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy