CVE-2026-9306

3.7 LOW

A security vulnerability has been detected in QuantumNous new-api up to 0.12.1

Published: 2026-05-23 · Last updated: 2026-05-26

Severity and scoring

CVSS: 3.7 LOW
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-285, CWE-639

Description

A security vulnerability has been detected in QuantumNous new-api up to 0.12.1. This affects the function RelayMidjourneyImage/GetByOnlyMJId of the file router/relay-router.go of the component Midjourney Image Relay Endpoint. Such manipulation leads to authorization bypass. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-9306
[Other]https://gist.github.com/YLChen-007/13974ead25fc6dac42fd7bac62fbb2df
[Other]https://vuldb.com/submit/812196
[Other]https://vuldb.com/vuln/365253
[Other]https://vuldb.com/vuln/365253/cti

Related CVEs

Same CWE

CVE-2026-47342 — A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges This issue...
CVE-2026-46668 — SpiceDB is an open source database system for creating and managing security-critical application permissions
CVE-2026-44692 — Sharp is a content management framework built for Laravel as a package (7.7 HIGH)
CVE-2026-46558 — Plane is an open-source project management tool (8.3 HIGH)
CVE-2026-53471 — A flaw was found in migration-planner (9.6 CRITICAL)