AI Threat Alert

CVE-2026-30886: AI component: IDOR enables unauthorized data access

MEDIUM PoC AVAILABLE CISA: TRACK*
Published March 23, 2026
CISO Take

CVE-2026-30886 is an IDOR in New API, a popular open-source LLM gateway, allowing any authenticated user to access other users' AI-generated video content AND trigger upstream API calls (Google Gemini, OpenAI) billed against victim users' credentials. The credential abuse vector elevates practical risk beyond the 6.5 CVSS — an attacker can drain competitors' API quotas or access sensitive AI outputs. Patch to 0.11.4-alpha.2 immediately; if delayed, restrict the `/v1/videos/:task_id/content` endpoint to authorized roles at the network layer.

What is the risk?

Practical risk is elevated above the Medium CVSS rating due to the dual-impact nature: data confidentiality breach plus unauthorized consumption of third-party AI provider credentials. Exploitability is trivial — low privilege, no user interaction, sequential task ID enumeration or blind guessing is sufficient. Exposure is scoped to organizations self-hosting New API as their LLM gateway, which is common in enterprises managing multi-provider AI access centrally. No public exploit code observed at time of analysis, but the vulnerability is trivially reproducible from the advisory.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 19% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

What should I do?

6 steps

  1. Patch

    Upgrade New API to version 0.11.4-alpha.2 immediately.

  2. If unable to patch

    Apply WAF rule or reverse proxy ACL blocking unauthenticated or cross-user access to GET /v1/videos/:task_id/content; enforce session-bound task ID validation at the gateway layer.

  3. Audit

    Review access logs for the affected endpoint for anomalous cross-user task ID access patterns (user A accessing task IDs that don't correlate with their session history).

  4. Credential rotation

    If exploitation is suspected, rotate all upstream AI provider API keys (OpenAI, Google Gemini) configured in New API.

  5. Code review

    Audit all other task-lookup endpoints in New API for similar missing user_id filter patterns — the advisory notes this is the only instance, but verify independently.

  6. Detection

    Alert on task ID enumeration patterns (sequential or high-volume requests to the video endpoint from a single authenticated user).

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Leakage Code Execution API Model Inference AML.T0034 AML.T0040 AML.T0049 AML.T0055 AML.T0085 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.2 - Segregation of duties A.8.2 - Information security in AI system development
NIST AI RMF
GOVERN 1.1 - Policies and processes address AI risks MANAGE 2.2 - Mechanisms are in place to respond to AI risks
OWASP LLM Top 10
LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-30886?

CVE-2026-30886 is an IDOR in New API, a popular open-source LLM gateway, allowing any authenticated user to access other users' AI-generated video content AND trigger upstream API calls (Google Gemini, OpenAI) billed against victim users' credentials. The credential abuse vector elevates practical risk beyond the 6.5 CVSS — an attacker can drain competitors' API quotas or access sensitive AI outputs. Patch to 0.11.4-alpha.2 immediately; if delayed, restrict the `/v1/videos/:task_id/content` endpoint to authorized roles at the network layer.

Is CVE-2026-30886 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-30886, increasing the risk of exploitation.

How to fix CVE-2026-30886?

1. **Patch**: Upgrade New API to version 0.11.4-alpha.2 immediately. 2. **If unable to patch**: Apply WAF rule or reverse proxy ACL blocking unauthenticated or cross-user access to `GET /v1/videos/:task_id/content`; enforce session-bound task ID validation at the gateway layer. 3. **Audit**: Review access logs for the affected endpoint for anomalous cross-user task ID access patterns (user A accessing task IDs that don't correlate with their session history). 4. **Credential rotation**: If exploitation is suspected, rotate all upstream AI provider API keys (OpenAI, Google Gemini) configured in New API. 5. **Code review**: Audit all other task-lookup endpoints in New API for similar missing `user_id` filter patterns — the advisory notes this is the only instance, but verify independently. 6. **Detection**: Alert on task ID enumeration patterns (sequential or high-volume requests to the video endpoint from a single authenticated user).

What systems are affected by CVE-2026-30886?

This vulnerability affects the following AI/ML architecture patterns: LLM API gateways, Multi-tenant AI platforms, AI asset management systems, Model serving infrastructure, Multi-provider AI orchestration.

What is the CVSS score for CVE-2026-30886?

CVE-2026-30886 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.27%.

What is the AI security impact?

Affected AI Architectures

LLM API gatewaysMulti-tenant AI platformsAI asset management systemsModel serving infrastructureMulti-provider AI orchestration

MITRE ATLAS Techniques

AML.T0034 Cost Harvesting
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0085 Data from AI Services
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.1.2, A.8.2
NIST AI RMF: GOVERN 1.1, MANAGE 2.2
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authenticated user to access video content belonging to other users and causes the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The missing authorization check is a single function call — `model.GetByOnlyTaskId(taskID)` queries by `task_id` alone with no `user_id` filter, while every other task-lookup in the codebase enforces ownership via `model.GetByTaskId(userId, taskID)`. Version 0.11.4-alpha.2 contains a patch.

Exploitation Scenario

An adversary registers a legitimate account on a shared New API instance (e.g., a corporate LLM gateway or a cloud-hosted multi-tenant deployment). They submit a valid request to generate a video task to obtain a sample `task_id` format. They then enumerate sequential or UUID-range task IDs against `GET /v1/videos/:task_id/content` using their valid session token. For each valid task ID belonging to another user, the server resolves the task without ownership checks, returns the video content, and — critically — authenticates to Google Gemini or OpenAI using the credential associated with the task owner. The adversary can now: (a) exfiltrate other users' AI-generated content, (b) repeatedly trigger expensive AI inference calls charged to victims' API keys, burning their quotas or incurring financial harm, and (c) potentially infer proprietary prompt structures from the content of other users' AI outputs.

Weaknesses (CWE)

CWE-639 Authorization Bypass Through User-Controlled Key Primary

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

  • [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
  • [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
March 23, 2026
Last Modified
March 25, 2026
First Seen
March 23, 2026

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Code Execution
CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Code Execution
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Leakage
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Data Leakage
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Code Execution
Back to Threat Feed