PT-2026-42886 · Quantumnous · New Api

·

CVE-2026-9306

·

Published

2026-05-23

·

Updated

2026-05-23

CVSS v3.1

3.7

Low

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions QuantumNous new-api versions prior to 0.12.2
Description An issue in the Midjourney Image Relay Endpoint component, specifically within the RelayMidjourneyImage/GetByOnlyMJId() function located in the router/relay-router.go file, allows for a remote authorization bypass. This bypass occurs through manipulation of the function, although the attack is characterized by high complexity and difficult exploitability.
Recommendations Update to a version later than 0.12.1. As a temporary workaround, restrict access to the RelayMidjourneyImage/GetByOnlyMJId() function to minimize the risk of exploitation.

Exploit

Fix

Improper Authorization

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9306

Affected Products

New Api