CVE-2026-30886 | THREATINT

Description

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authenticated user to access video content belonging to other users and causes the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The missing authorization check is a single function call — `model.GetByOnlyTaskId(taskID)` queries by `task_id` alone with no `user_id` filter, while every other task-lookup in the codebase enforces ownership via `model.GetByTaskId(userId, taskID)`. Version 0.11.4-alpha.2 contains a patch.

PUBLISHED Reserved 2026-03-06 | Published 2026-03-23 | Updated 2026-03-25 | Assigner GitHub_M

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

< 0.11.4-alpha.2

affected

References

github.com/...ew-api/security/advisories/GHSA-f35r-v9x5-r8mc

github.com/...ommit/50ec2bac6b341e651fc9ac4344e3bd2cdaeafdbd

cve.org (CVE-2026-30886)

nvd.nist.gov (CVE-2026-30886)

Download JSON