May 23, 2026·5 min read·36 visits
An architectural flaw in QuantumNous new-api <= 0.12.1 allows unauthenticated attackers to bypass authorization and extract user-generated Midjourney images via the `/mj/image/:id` endpoint using a valid task ID.
CVE-2026-9306 is a critical unauthenticated Insecure Direct Object Reference (IDOR) vulnerability located in the QuantumNous new-api application, affecting versions up to and including 0.12.1. The flaw is caused by improper middleware ordering combined with a lack of object-level authorization checks. This allows remote, unauthenticated attackers to retrieve sensitive Midjourney images belonging to other users by supplying a valid task identifier.
The QuantumNous new-api application exposes a Midjourney Image Relay endpoint designed to serve generated images to authenticated users. This endpoint, located at /mj/image/:id, operates by taking a user-supplied Midjourney Task ID (mj_id), querying the underlying database for the corresponding image record, and proxying the image data back to the client.
An architectural flaw exists in versions up to and including 0.12.1 where this specific route is registered prior to the application's authentication middleware. Consequently, the endpoint does not enforce token-based authentication, leaving it fully accessible to any external requester.
Furthermore, the backend query executing the data retrieval fails to implement object-level scoping. The database lookup retrieves records based solely on the provided mj_id without verifying if the requested resource belongs to the currently authenticated session context.
The combination of these two flaws results in a complete authentication bypass and an Insecure Direct Object Reference (IDOR) vulnerability. An attacker possessing a valid mj_id can exfiltrate arbitrary user-generated content from the system.
The root cause of CVE-2026-9306 is divided between the routing layer and the data access layer. The primary failure occurs in router/relay-router.go, where the developer registers the GET route for image retrieval outside the protected router group.
The Gin framework processes middleware sequentially. Because relayMjRouter.GET("/image/:id", relay.RelayMidjourneyImage) is declared before relayMjRouter.Use(middleware.TokenAuth()), the request context bypasses the token validation logic entirely. The request is immediately handed off to the controller handler.
The secondary failure resides in the handler function RelayMidjourneyImage, located in relay/mjproxy_handler.go. This handler extracts the identifier from the URL path and passes it to model.GetByOnlyMJId(taskId). This function executes a database query without asserting ownership over the target record.
The codebase includes a secure alternative function named GetByMJId(userId, mjId), which correctly restricts the SQL query to the requesting user's tenant scope. The failure to utilize this secure function on the image relay endpoint finalizes the conditions required for unauthenticated data access.
Analysis of the new-api repository reveals the exact location of the middleware misconfiguration. The vulnerable routing logic is defined in router/relay-router.go. The endpoint registration occurs before the middleware application block.
func registerMjRouterGroup(relayMjRouter *gin.RouterGroup) {
// VULNERABLE: Route registration bypasses authentication
relayMjRouter.GET("/image/:id", relay.RelayMidjourneyImage)
// TokenAuth is applied after the above route
relayMjRouter.Use(middleware.TokenAuth(), middleware.Distribute())
{
relayMjRouter.POST("/submit/imagine", controller.RelayMidjourney)
// other protected routes
}
}Once the request reaches the controller, the application queries the database using an insecure Object-Relational Mapping (ORM) call. The function GetByOnlyMJId in model/midjourney.go demonstrates the absence of tenant isolation.
func GetByOnlyMJId(mjId string) *Midjourney {
var mj Midjourney
// VULNERABLE: Missing 'user_id = ?' constraint
err := DB.Where("mj_id = ?", mjId).First(&mj).Error
return &mj
}To remediate this issue comprehensively, developers must apply two changes. First, the GET /image/:id route must be moved inside the code block governed by relayMjRouter.Use(middleware.TokenAuth()). Second, the handler must be updated to extract the authenticated user ID from the Gin context and utilize model.GetByMJId(userId, taskId) to enforce access controls.
Exploiting CVE-2026-9306 requires network reachability to the new-api instance and knowledge of a valid mj_id. The mj_id is typically a predictably formatted string or a timestamp-based identifier utilized by the Midjourney backend.
An external attacker can execute the attack using standard HTTP clients. No session tokens, API keys, or authorization headers are required to construct a successful payload. The exploitation phase relies entirely on traversing the unprotected route.
import requests
TARGET_URL = "http://target-api:3000"
VICTIM_MJ_ID = "victim-mj-1775211177224"
def exploit():
leak_url = f"{TARGET_URL}/mj/image/{VICTIM_MJ_ID}"
resp = requests.get(leak_url, timeout=20)
if resp.status_code == 200 and "image" in resp.headers.get("Content-Type", ""):
with open("stolen_image.jpg", "wb") as f:
f.write(resp.content)Upon receiving the request, the application fetches the image URL from the local database and uses standard Go libraries (io.Copy) to proxy the binary image data back in the HTTP response. The attacker receives the original, unadulterated media file.
The vulnerability carries a CVSS 4.0 score of 6.3 (Medium), characterized by the vector CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P. The confidentiality impact is marked as Low (VC:L) because the exfiltration is strictly limited to image binaries, without exposing credentials or underlying infrastructure.
The High Complexity (AC:H) metric accounts for the attacker's need to obtain or guess a valid mj_id. While the identifiers are not cryptographically secure random numbers, brute-forcing the exact identifier space requires time and specific knowledge of the generation algorithm.
Despite the medium numerical score, the practical risk for SaaS providers using new-api is substantial. A successful attack violates data privacy guarantees, allowing unauthorized parties to harvest potentially sensitive or proprietary AI-generated assets belonging to paying customers.
At the time of disclosure, no official patch is available from the vendor. Organizations running vulnerable instances must manually modify the source code and recompile the binary to restore security. The routing logic in router/relay-router.go must be updated to place the image endpoint behind the TokenAuth middleware.
As an interim mitigation, infrastructure teams can deploy Web Application Firewall (WAF) rules to restrict access. A WAF policy should block all incoming GET requests targeting the /mj/image/ URI path unless a valid Authorization or New-Api-User header is present.
Security teams can verify exposure using Nuclei or similar automated scanners. By sending a request to the /mj/image/placeholder_id path without credentials, scanners can identify vulnerable configurations. A response status of 404 indicates the endpoint is reachable (the database simply lacked the placeholder ID), whereas a 401 or 403 status indicates the authentication middleware is correctly functioning.
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P| Product | Affected Versions | Fixed Version |
|---|---|---|
new-api QuantumNous | <= 0.12.1 | - |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-639 |
| Attack Vector | Network |
| CVSS 4.0 | 6.3 |
| Authentication | None Required |
| Impact | Data Exfiltration (Low Confidentiality) |
| Exploit Status | Weaponized PoC Available |
| KEV Status | Not Listed |
The system's authorization model fails to restrict access to a specific resource when an identifier is provided, allowing an attacker to access objects belonging to other users.
Januscape (CVE-2026-53359) is a critical Use-After-Free vulnerability in the x86 Shadow MMU component of the Linux Kernel's KVM subsystem. A logic error in shadow page tracking permits unauthorized page reuse without validating architectural execution roles, leading to dangling pointers in reverse mapping (rmap) tracking entries during guest memory teardown.
CVE-2026-48282 is a critical unauthenticated path traversal and arbitrary file write vulnerability in the Remote Development Services (RDS) component of Adobe ColdFusion. The vulnerability allows a remote, unauthenticated attacker to bypass directory boundaries and write arbitrary files, including CFML-based web shells, onto the host server. This flaw is actively exploited in the wild and enables full unauthenticated remote code execution under the privileges of the ColdFusion service account.
An information disclosure vulnerability exists in the web-auth/webauthn-lib PHP library when using the default SimpleFakeCredentialGenerator without a configured secret. This allows unauthenticated remote attackers to determine if a username exists on the target application.
A Stored and Reflected Cross-Site Scripting (XSS) vulnerability was identified in the Rust web service library 'rama' prior to version 0.3.0-rc.1. When serving directories using DirectoryServeMode::HtmlFileList, the library improperly escapes directory names, filenames, and request path components before injecting them into dynamically generated HTML files. This allows attackers to execute malicious scripts inside user browser sessions.
The ha-mcp add-on for Home Assistant exposes its settings and security policy routes without authentication at the bare root path of TCP port 9583. This exposure allows unauthorized adjacent network clients to reconfigure tools, alter policies, and bypass human-in-the-loop approval gates. The vulnerability has been addressed in development build 7.6.0.dev393 and subsequent releases by restricting access to root-mounted routes exclusively to the Supervisor Ingress IP.
An authentication freshness bypass vulnerability exists in the WebAuthn re-authentication path of Flask-Security-Too versions 5.8.0 and 5.8.1. The flaw allows an authenticated attacker to elevate the freshness status of a victim session using their own WebAuthn credential, bypassing re-authentication constraints.