CVE-2026-30886 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

CVE-2026-30886 is an IDOR in New API, a popular open-source LLM gateway, allowing any authenticated user to access other users' AI-generated video content AND trigger upstream API calls (Google Gemini, OpenAI) billed against victim users' credentials. The credential abuse vector elevates practical risk beyond the 6.5 CVSS — an attacker can drain competitors' API quotas or access sensitive AI outputs. Patch to 0.11.4-alpha.2 immediately; if delayed, restrict the `/v1/videos/:task_id/content` endpoint to authorized roles at the network layer.

Risk Assessment

Practical risk is elevated above the Medium CVSS rating due to the dual-impact nature: data confidentiality breach plus unauthorized consumption of third-party AI provider credentials. Exploitability is trivial — low privilege, no user interaction, sequential task ID enumeration or blind guessing is sufficient. Exposure is scoped to organizations self-hosting New API as their LLM gateway, which is common in enterprises managing multi-provider AI access centrally. No public exploit code observed at time of analysis, but the vulnerability is trivially reproducible from the advisory.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 12% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

Recommended Action

6 steps

Patch

Upgrade New API to version 0.11.4-alpha.2 immediately.
If unable to patch

Apply WAF rule or reverse proxy ACL blocking unauthenticated or cross-user access to GET /v1/videos/:task_id/content; enforce session-bound task ID validation at the gateway layer.
Audit

Review access logs for the affected endpoint for anomalous cross-user task ID access patterns (user A accessing task IDs that don't correlate with their session history).
Credential rotation

If exploitation is suspected, rotate all upstream AI provider API keys (OpenAI, Google Gemini) configured in New API.
Code review

Audit all other task-lookup endpoints in New API for similar missing user_id filter patterns — the advisory notes this is the only instance, but verify independently.
Detection

Alert on task ID enumeration patterns (sequential or high-volume requests to the video endpoint from a single authenticated user).

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Leakage Code Execution API Model Inference AML.T0034 - Cost Harvesting AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0085 - Data from AI Services AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - Segregation of duties A.8.2 - Information security in AI system development

NIST AI RMF

GOVERN 1.1 - Policies and processes address AI risks MANAGE 2.2 - Mechanisms are in place to respond to AI risks

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-30886?

CVE-2026-30886 is an IDOR in New API, a popular open-source LLM gateway, allowing any authenticated user to access other users' AI-generated video content AND trigger upstream API calls (Google Gemini, OpenAI) billed against victim users' credentials. The credential abuse vector elevates practical risk beyond the 6.5 CVSS — an attacker can drain competitors' API quotas or access sensitive AI outputs. Patch to 0.11.4-alpha.2 immediately; if delayed, restrict the `/v1/videos/:task_id/content` endpoint to authorized roles at the network layer.

Is CVE-2026-30886 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-30886, increasing the risk of exploitation.

How to fix CVE-2026-30886?

1. **Patch**: Upgrade New API to version 0.11.4-alpha.2 immediately. 2. **If unable to patch**: Apply WAF rule or reverse proxy ACL blocking unauthenticated or cross-user access to `GET /v1/videos/:task_id/content`; enforce session-bound task ID validation at the gateway layer. 3. **Audit**: Review access logs for the affected endpoint for anomalous cross-user task ID access patterns (user A accessing task IDs that don't correlate with their session history). 4. **Credential rotation**: If exploitation is suspected, rotate all upstream AI provider API keys (OpenAI, Google Gemini) configured in New API. 5. **Code review**: Audit all other task-lookup endpoints in New API for similar missing `user_id` filter patterns — the advisory notes this is the only instance, but verify independently. 6. **Detection**: Alert on task ID enumeration patterns (sequential or high-volume requests to the video endpoint from a single authenticated user).

What systems are affected by CVE-2026-30886?

This vulnerability affects the following AI/ML architecture patterns: LLM API gateways, Multi-tenant AI platforms, AI asset management systems, Model serving infrastructure, Multi-provider AI orchestration.

What is the CVSS score for CVE-2026-30886?

CVE-2026-30886 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authenticated user to access video content belonging to other users and causes the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The missing authorization check is a single function call — `model.GetByOnlyTaskId(taskID)` queries by `task_id` alone with no `user_id` filter, while every other task-lookup in the codebase enforces ownership via `model.GetByTaskId(userId, taskID)`. Version 0.11.4-alpha.2 contains a patch.

Exploitation Scenario

An adversary registers a legitimate account on a shared New API instance (e.g., a corporate LLM gateway or a cloud-hosted multi-tenant deployment). They submit a valid request to generate a video task to obtain a sample `task_id` format. They then enumerate sequential or UUID-range task IDs against `GET /v1/videos/:task_id/content` using their valid session token. For each valid task ID belonging to another user, the server resolves the task without ownership checks, returns the video content, and — critically — authenticates to Google Gemini or OpenAI using the credential associated with the task owner. The adversary can now: (a) exfiltrate other users' AI-generated content, (b) repeatedly trigger expensive AI inference calls charged to victims' API keys, burning their quotas or incurring financial harm, and (c) potentially infer proprietary prompt structures from the content of other users' AI outputs.