CVE-2026-30886

Name of the Vulnerable Software and Affected Versions New API versions prior to 0.11.4-alpha.2

Description The software features an Insecure Direct Object Reference (IDOR) in the video proxy endpoint. Any authenticated user can access video content belonging to other users by exploiting a missing authorization check. Specifically, the model.GetByOnlyTaskId(taskID) function queries tasks using only the task id without verifying user ownership, while other task lookups correctly enforce ownership using model.GetByTaskId(userId, taskID). This allows an attacker to bypass tenant isolation for generated media assets and potentially access sensitive data, including upstream response headers and API keys used for contacting AI providers like Google Gemini and OpenAI. The vulnerable API endpoint is GET /v1/videos/:task id/content. The vulnerable parameter is task id. The vulnerable handler is controller.VideoProxy. An attacker can exploit this by sending a request to the affected API endpoint with a known task id belonging to another user.

Recommendations Replace the task lookup in VideoProxy with an ownership-checked query:

userId := c.GetInt("id")
task, exists, err := model.GetByTaskId(userId, taskID)