Publish GHSA-f35r-v9x5-r8mc

advisory-database[bot] · advisory-database[bot] · commit 406cf3732680 · 2026-03-23T20:33:52.000Z
diff --git a/advisories/github-reviewed/2026/03/GHSA-f35r-v9x5-r8mc/GHSA-f35r-v9x5-r8mc.json b/advisories/github-reviewed/2026/03/GHSA-f35r-v9x5-r8mc/GHSA-f35r-v9x5-r8mc.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f35r-v9x5-r8mc",
+  "modified": "2026-03-23T20:30:57Z",
+  "published": "2026-03-23T20:30:57Z",
+  "aliases": [
+    "CVE-2026-30886"
+  ],
+  "summary": "New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check ",
+  "details": "## Summary\n\nThe video proxy endpoint `GET /v1/videos/:task_id/content` is vulnerable to an Insecure Direct Object Reference (IDOR). Any authenticated user who knows another user's `task_id` can retrieve that user's generated video content because the handler queries tasks by `task_id` alone and does not verify ownership.\n\n## Affected Component\n\n- Endpoint: `GET /v1/videos/:task_id/content`\n- Route middleware: `TokenOrUserAuth()`\n- Vulnerable handler: `controller.VideoProxy`\n\n## Details\n\n`VideoProxy` fetches the task with:\n\n```go\ntask, exists, err := model.GetByOnlyTaskId(taskID)\n```\n\n`GetByOnlyTaskId` performs a database lookup using only `task_id`:\n\n```go\nerr = DB.Where(\"task_id = ?\", taskId).First(&task).Error\n```\n\nThe authenticated user's ID is available in request context, but `VideoProxy` does not use it. This allows any authenticated user to request `/v1/videos/<foreign_task_id>/content` and access another user's video if they know a valid task ID.\n\nOther task-fetch paths already enforce ownership correctly via:\n\n```go\nmodel.GetByTaskId(userId, taskId)\n```\n\n## Impact\n\nAn authenticated attacker who knows another user's `task_id` can:\n\n- Download video content belonging to another user\n- Bypass tenant isolation for generated media assets\n- Cause the server to fetch upstream video content for a task the attacker does not own\n\nFor Gemini tasks, the proxy also uses `task.PrivateData.Key` when contacting the upstream provider. In addition, full upstream response headers are forwarded back to the requester.\n\n## Proof of Concept\n\n```bash\ncurl -o stolen_video.mp4 \\\n  \"https://<instance>/v1/videos/<victim_task_id>/content\" \\\n  -H \"Authorization: Bearer sk-<attacker_token>\"\n```\n\nExpected result:\n\n- Response returns `200 OK`\n- Response body contains the victim's video content\n\n## Recommended Fix\n\nReplace the task lookup in `VideoProxy` with an ownership-checked query:\n\n```go\nuserId := c.GetInt(\"id\")\ntask, exists, err := model.GetByTaskId(userId, taskID)\n```",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/QuantumNous/new-api"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.11.4-alpha.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-f35r-v9x5-r8mc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/QuantumNous/new-api/commit/50ec2bac6b341e651fc9ac4344e3bd2cdaeafdbd"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/QuantumNous/new-api"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-639"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-23T20:30:57Z",
+    "nvd_published_at": null
+  }
+}
