CVE-2026-9306: Unauthenticated Insecure Direct Object Reference (IDOR) in QuantumNous new-api Midjourney Relay

The QuantumNous new-api application exposes a Midjourney Image Relay endpoint designed to serve generated images to authenticated users. This endpoint, located at /mj/image/:id, operates by taking a user-supplied Midjourney Task ID (mj_id), querying the underlying database for the corresponding image record, and proxying the image data back to the client.

An architectural flaw exists in versions up to and including 0.12.1 where this specific route is registered prior to the application's authentication middleware. Consequently, the endpoint does not enforce token-based authentication, leaving it fully accessible to any external requester.

Furthermore, the backend query executing the data retrieval fails to implement object-level scoping. The database lookup retrieves records based solely on the provided mj_id without verifying if the requested resource belongs to the currently authenticated session context.

The combination of these two flaws results in a complete authentication bypass and an Insecure Direct Object Reference (IDOR) vulnerability. An attacker possessing a valid mj_id can exfiltrate arbitrary user-generated content from the system.

The root cause of CVE-2026-9306 is divided between the routing layer and the data access layer. The primary failure occurs in router/relay-router.go, where the developer registers the GET route for image retrieval outside the protected router group.

The Gin framework processes middleware sequentially. Because relayMjRouter.GET("/image/:id", relay.RelayMidjourneyImage) is declared before relayMjRouter.Use(middleware.TokenAuth()), the request context bypasses the token validation logic entirely. The request is immediately handed off to the controller handler.

The secondary failure resides in the handler function RelayMidjourneyImage, located in relay/mjproxy_handler.go. This handler extracts the identifier from the URL path and passes it to model.GetByOnlyMJId(taskId). This function executes a database query without asserting ownership over the target record.

The codebase includes a secure alternative function named GetByMJId(userId, mjId), which correctly restricts the SQL query to the requesting user's tenant scope. The failure to utilize this secure function on the image relay endpoint finalizes the conditions required for unauthenticated data access.

Analysis of the new-api repository reveals the exact location of the middleware misconfiguration. The vulnerable routing logic is defined in router/relay-router.go. The endpoint registration occurs before the middleware application block.

func registerMjRouterGroup(relayMjRouter *gin.RouterGroup) {
    // VULNERABLE: Route registration bypasses authentication
    relayMjRouter.GET("/image/:id", relay.RelayMidjourneyImage)
    
    // TokenAuth is applied after the above route
    relayMjRouter.Use(middleware.TokenAuth(), middleware.Distribute())
    {
        relayMjRouter.POST("/submit/imagine", controller.RelayMidjourney)
        // other protected routes
    }
}

Once the request reaches the controller, the application queries the database using an insecure Object-Relational Mapping (ORM) call. The function GetByOnlyMJId in model/midjourney.go demonstrates the absence of tenant isolation.

func GetByOnlyMJId(mjId string) *Midjourney {
    var mj Midjourney
    // VULNERABLE: Missing 'user_id = ?' constraint
    err := DB.Where("mj_id = ?", mjId).First(&mj).Error
    return &mj
}

To remediate this issue comprehensively, developers must apply two changes. First, the GET /image/:id route must be moved inside the code block governed by relayMjRouter.Use(middleware.TokenAuth()). Second, the handler must be updated to extract the authenticated user ID from the Gin context and utilize model.GetByMJId(userId, taskId) to enforce access controls.

Exploiting CVE-2026-9306 requires network reachability to the new-api instance and knowledge of a valid mj_id. The mj_id is typically a predictably formatted string or a timestamp-based identifier utilized by the Midjourney backend.

An external attacker can execute the attack using standard HTTP clients. No session tokens, API keys, or authorization headers are required to construct a successful payload. The exploitation phase relies entirely on traversing the unprotected route.

import requests
 
TARGET_URL = "http://target-api:3000"
VICTIM_MJ_ID = "victim-mj-1775211177224"
 
def exploit():
    leak_url = f"{TARGET_URL}/mj/image/{VICTIM_MJ_ID}"
    resp = requests.get(leak_url, timeout=20)
    
    if resp.status_code == 200 and "image" in resp.headers.get("Content-Type", ""):
        with open("stolen_image.jpg", "wb") as f:
            f.write(resp.content)

Upon receiving the request, the application fetches the image URL from the local database and uses standard Go libraries (io.Copy) to proxy the binary image data back in the HTTP response. The attacker receives the original, unadulterated media file.

The vulnerability carries a CVSS 4.0 score of 6.3 (Medium), characterized by the vector CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P. The confidentiality impact is marked as Low (VC:L) because the exfiltration is strictly limited to image binaries, without exposing credentials or underlying infrastructure.

The High Complexity (AC:H) metric accounts for the attacker's need to obtain or guess a valid mj_id. While the identifiers are not cryptographically secure random numbers, brute-forcing the exact identifier space requires time and specific knowledge of the generation algorithm.

Despite the medium numerical score, the practical risk for SaaS providers using new-api is substantial. A successful attack violates data privacy guarantees, allowing unauthorized parties to harvest potentially sensitive or proprietary AI-generated assets belonging to paying customers.

At the time of disclosure, no official patch is available from the vendor. Organizations running vulnerable instances must manually modify the source code and recompile the binary to restore security. The routing logic in router/relay-router.go must be updated to place the image endpoint behind the TokenAuth middleware.

As an interim mitigation, infrastructure teams can deploy Web Application Firewall (WAF) rules to restrict access. A WAF policy should block all incoming GET requests targeting the /mj/image/ URI path unless a valid Authorization or New-Api-User header is present.

Security teams can verify exposure using Nuclei or similar automated scanners. By sending a request to the /mj/image/placeholder_id path without credentials, scanners can identify vulnerable configurations. A response status of 404 indicates the endpoint is reachable (the database simply lacked the placeholder ID), whereas a 401 or 403 status indicates the authentication middleware is correctly functioning.