Vulnerability-Lookup

CVE-2026-30886 (GCVE-0-2026-30886)

Vulnerability from cvelistv5 – Published: 2026-03-23 19:18 – Updated: 2026-03-25 14:41

Title

New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check

Summary

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authenticated user to access video content belonging to other users and causes the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The missing authorization check is a single function call — `model.GetByOnlyTaskId(taskID)` queries by `task_id` alone with no `user_id` filter, while every other task-lookup in the codebase enforces ownership via `model.GetByTaskId(userId, taskID)`. Version 0.11.4-alpha.2 contains a patch.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

GitHub_M

References

URL

Tags

	https://github.com/QuantumNous/new-api/security/a…	x_refsource_CONFIRM
	https://github.com/QuantumNous/new-api/commit/50e…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	QuantumNous	new-api	Affected: < 0.11.4-alpha.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-30886",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T14:40:22.987585Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:41:44.784Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "new-api",
          "vendor": "QuantumNous",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.11.4-alpha.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authenticated user to access video content belonging to other users and causes the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The missing authorization check is a single function call \u2014 `model.GetByOnlyTaskId(taskID)` queries by `task_id` alone with no `user_id` filter, while every other task-lookup in the codebase enforces ownership via `model.GetByTaskId(userId, taskID)`. Version 0.11.4-alpha.2 contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-23T19:18:34.150Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-f35r-v9x5-r8mc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-f35r-v9x5-r8mc"
        },
        {
          "name": "https://github.com/QuantumNous/new-api/commit/50ec2bac6b341e651fc9ac4344e3bd2cdaeafdbd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/QuantumNous/new-api/commit/50ec2bac6b341e651fc9ac4344e3bd2cdaeafdbd"
        }
      ],
      "source": {
        "advisory": "GHSA-f35r-v9x5-r8mc",
        "discovery": "UNKNOWN"
      },
      "title": "New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-30886",
    "datePublished": "2026-03-23T19:18:34.150Z",
    "dateReserved": "2026-03-06T00:04:56.700Z",
    "dateUpdated": "2026-03-25T14:41:44.784Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-30886",
      "date": "2026-04-19",
      "epss": "0.00035",
      "percentile": "0.10191"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-30886\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-23T20:16:25.963\",\"lastModified\":\"2026-03-25T17:53:53.027\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authenticated user to access video content belonging to other users and causes the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The missing authorization check is a single function call \u2014 `model.GetByOnlyTaskId(taskID)` queries by `task_id` alone with no `user_id` filter, while every other task-lookup in the codebase enforces ownership via `model.GetByTaskId(userId, taskID)`. Version 0.11.4-alpha.2 contains a patch.\"},{\"lang\":\"es\",\"value\":\"Nueva API es una pasarela de modelo de lenguaje grande (LLM) y un sistema de gesti\u00f3n de activos de inteligencia artificial (IA). Antes de la versi\u00f3n 0.11.4-alpha.2, una vulnerabilidad de Referencia Directa Insegura a Objeto (IDOR) en el endpoint de proxy de video (\u0027GET /v1/videos/:task_id/content\u0027) permite a cualquier usuario autenticado acceder a contenido de video perteneciente a otros usuarios y hace que el servidor se autentique con proveedores de IA ascendentes (Google Gemini, OpenAI) utilizando credenciales derivadas de tareas que no poseen. La comprobaci\u00f3n de autorizaci\u00f3n faltante es una \u00fanica llamada a funci\u00f3n \u2014 \u0027model.GetByOnlyTaskId(taskID)\u0027 consulta solo por \u0027task_id\u0027 sin filtro de \u0027user_id\u0027, mientras que cada otra b\u00fasqueda de tarea en la base de c\u00f3digo impone la propiedad a trav\u00e9s de \u0027model.GetByTaskId(userId, taskID)\u0027. La versi\u00f3n 0.11.4-alpha.2 contiene un parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:newapi:new_api:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.11.4\",\"matchCriteriaId\":\"588761F3-632A-4CE6-B80E-7D3D772677B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:newapi:new_api:0.11.4:alpha1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E89C616C-399A-4CE2-899E-31C9ED588FFD\"}]}]}],\"references\":[{\"url\":\"https://github.com/QuantumNous/new-api/commit/50ec2bac6b341e651fc9ac4344e3bd2cdaeafdbd\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/QuantumNous/new-api/security/advisories/GHSA-f35r-v9x5-r8mc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-30886\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-25T14:40:22.987585Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-25T14:41:37.834Z\"}}], \"cna\": {\"title\": \"New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check\", \"source\": {\"advisory\": \"GHSA-f35r-v9x5-r8mc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"QuantumNous\", \"product\": \"new-api\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.11.4-alpha.2\"}]}], \"references\": [{\"url\": \"https://github.com/QuantumNous/new-api/security/advisories/GHSA-f35r-v9x5-r8mc\", \"name\": \"https://github.com/QuantumNous/new-api/security/advisories/GHSA-f35r-v9x5-r8mc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/QuantumNous/new-api/commit/50ec2bac6b341e651fc9ac4344e3bd2cdaeafdbd\", \"name\": \"https://github.com/QuantumNous/new-api/commit/50ec2bac6b341e651fc9ac4344e3bd2cdaeafdbd\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authenticated user to access video content belonging to other users and causes the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The missing authorization check is a single function call \\u2014 `model.GetByOnlyTaskId(taskID)` queries by `task_id` alone with no `user_id` filter, while every other task-lookup in the codebase enforces ownership via `model.GetByTaskId(userId, taskID)`. Version 0.11.4-alpha.2 contains a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-23T19:18:34.150Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-30886\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-25T14:41:44.784Z\", \"dateReserved\": \"2026-03-06T00:04:56.700Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-23T19:18:34.150Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-F35R-V9X5-R8MC

Vulnerability from github – Published: 2026-03-23 20:30 – Updated: 2026-03-25 20:44

Summary

New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check

Details

Summary

The video proxy endpoint GET /v1/videos/:task_id/content is vulnerable to an Insecure Direct Object Reference (IDOR). Any authenticated user who knows another user's task_id can retrieve that user's generated video content because the handler queries tasks by task_id alone and does not verify ownership.

Affected Component

Endpoint: GET /v1/videos/:task_id/content
Route middleware: TokenOrUserAuth()
Vulnerable handler: controller.VideoProxy

Details

VideoProxy fetches the task with:

task, exists, err := model.GetByOnlyTaskId(taskID)

GetByOnlyTaskId performs a database lookup using only task_id:

err = DB.Where("task_id = ?", taskId).First(&task).Error

The authenticated user's ID is available in request context, but VideoProxy does not use it. This allows any authenticated user to request /v1/videos/<foreign_task_id>/content and access another user's video if they know a valid task ID.

Other task-fetch paths already enforce ownership correctly via:

model.GetByTaskId(userId, taskId)

Impact

An authenticated attacker who knows another user's task_id can:

Download video content belonging to another user
Bypass tenant isolation for generated media assets
Cause the server to fetch upstream video content for a task the attacker does not own

For Gemini tasks, the proxy also uses task.PrivateData.Key when contacting the upstream provider. In addition, full upstream response headers are forwarded back to the requester.

Proof of Concept

curl -o stolen_video.mp4 \
  "https://<instance>/v1/videos/<victim_task_id>/content" \
  -H "Authorization: Bearer sk-<attacker_token>"

Expected result:

Response returns 200 OK
Response body contains the victim's video content

Recommended Fix

Replace the task lookup in VideoProxy with an ownership-checked query:

userId := c.GetInt("id")
task, exists, err := model.GetByTaskId(userId, taskID)

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/QuantumNous/new-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.4-alpha.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30886"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-23T20:30:57Z",
    "nvd_published_at": "2026-03-23T20:16:25Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe video proxy endpoint `GET /v1/videos/:task_id/content` is vulnerable to an Insecure Direct Object Reference (IDOR). Any authenticated user who knows another user\u0027s `task_id` can retrieve that user\u0027s generated video content because the handler queries tasks by `task_id` alone and does not verify ownership.\n\n## Affected Component\n\n- Endpoint: `GET /v1/videos/:task_id/content`\n- Route middleware: `TokenOrUserAuth()`\n- Vulnerable handler: `controller.VideoProxy`\n\n## Details\n\n`VideoProxy` fetches the task with:\n\n```go\ntask, exists, err := model.GetByOnlyTaskId(taskID)\n```\n\n`GetByOnlyTaskId` performs a database lookup using only `task_id`:\n\n```go\nerr = DB.Where(\"task_id = ?\", taskId).First(\u0026task).Error\n```\n\nThe authenticated user\u0027s ID is available in request context, but `VideoProxy` does not use it. This allows any authenticated user to request `/v1/videos/\u003cforeign_task_id\u003e/content` and access another user\u0027s video if they know a valid task ID.\n\nOther task-fetch paths already enforce ownership correctly via:\n\n```go\nmodel.GetByTaskId(userId, taskId)\n```\n\n## Impact\n\nAn authenticated attacker who knows another user\u0027s `task_id` can:\n\n- Download video content belonging to another user\n- Bypass tenant isolation for generated media assets\n- Cause the server to fetch upstream video content for a task the attacker does not own\n\nFor Gemini tasks, the proxy also uses `task.PrivateData.Key` when contacting the upstream provider. In addition, full upstream response headers are forwarded back to the requester.\n\n## Proof of Concept\n\n```bash\ncurl -o stolen_video.mp4 \\\n  \"https://\u003cinstance\u003e/v1/videos/\u003cvictim_task_id\u003e/content\" \\\n  -H \"Authorization: Bearer sk-\u003cattacker_token\u003e\"\n```\n\nExpected result:\n\n- Response returns `200 OK`\n- Response body contains the victim\u0027s video content\n\n## Recommended Fix\n\nReplace the task lookup in `VideoProxy` with an ownership-checked query:\n\n```go\nuserId := c.GetInt(\"id\")\ntask, exists, err := model.GetByTaskId(userId, taskID)\n```",
  "id": "GHSA-f35r-v9x5-r8mc",
  "modified": "2026-03-25T20:44:47Z",
  "published": "2026-03-23T20:30:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-f35r-v9x5-r8mc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30886"
    },
    {
      "type": "WEB",
      "url": "https://github.com/QuantumNous/new-api/commit/50ec2bac6b341e651fc9ac4344e3bd2cdaeafdbd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/QuantumNous/new-api"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check "
}

FKIE_CVE-2026-30886

Vulnerability from fkie_nvd - Published: 2026-03-23 20:16 - Updated: 2026-03-25 17:53

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/QuantumNous/new-api/commit/50ec2bac6b341e651fc9ac4344e3bd2cdaeafdbd	Patch
	security-advisories@github.com	https://github.com/QuantumNous/new-api/security/advisories/GHSA-f35r-v9x5-r8mc	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	newapi	new_api	*
	newapi	new_api	0.11.4

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:newapi:new_api:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "588761F3-632A-4CE6-B80E-7D3D772677B1",
              "versionEndExcluding": "0.11.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:newapi:new_api:0.11.4:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "E89C616C-399A-4CE2-899E-31C9ED588FFD",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authenticated user to access video content belonging to other users and causes the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The missing authorization check is a single function call \u2014 `model.GetByOnlyTaskId(taskID)` queries by `task_id` alone with no `user_id` filter, while every other task-lookup in the codebase enforces ownership via `model.GetByTaskId(userId, taskID)`. Version 0.11.4-alpha.2 contains a patch."
    },
    {
      "lang": "es",
      "value": "Nueva API es una pasarela de modelo de lenguaje grande (LLM) y un sistema de gesti\u00f3n de activos de inteligencia artificial (IA). Antes de la versi\u00f3n 0.11.4-alpha.2, una vulnerabilidad de Referencia Directa Insegura a Objeto (IDOR) en el endpoint de proxy de video (\u0027GET /v1/videos/:task_id/content\u0027) permite a cualquier usuario autenticado acceder a contenido de video perteneciente a otros usuarios y hace que el servidor se autentique con proveedores de IA ascendentes (Google Gemini, OpenAI) utilizando credenciales derivadas de tareas que no poseen. La comprobaci\u00f3n de autorizaci\u00f3n faltante es una \u00fanica llamada a funci\u00f3n \u2014 \u0027model.GetByOnlyTaskId(taskID)\u0027 consulta solo por \u0027task_id\u0027 sin filtro de \u0027user_id\u0027, mientras que cada otra b\u00fasqueda de tarea en la base de c\u00f3digo impone la propiedad a trav\u00e9s de \u0027model.GetByTaskId(userId, taskID)\u0027. La versi\u00f3n 0.11.4-alpha.2 contiene un parche."
    }
  ],
  "id": "CVE-2026-30886",
  "lastModified": "2026-03-25T17:53:53.027",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-23T20:16:25.963",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/QuantumNous/new-api/commit/50ec2bac6b341e651fc9ac4344e3bd2cdaeafdbd"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-f35r-v9x5-r8mc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-30886 (GCVE-0-2026-30886)

GHSA-F35R-V9X5-R8MC

Summary

Affected Component

Details

Impact

Proof of Concept

Recommended Fix

FKIE_CVE-2026-30886

Tags

Sightings

Nomenclature