CVE-2026-9305 QuantumNous CVE debrief

Who should care

Organizations running QuantumNous new-api versions ≤0.12.1, particularly those exposing top-up management functionality to authenticated users. Security teams responsible for API security and database integrity should prioritize review of query construction patterns in this component.

Technical summary

The vulnerability stems from improper neutralization of special elements in SQL commands within the top-up search functionality. The SearchUserTopUps and SearchAllTopUps functions in model/topup.go construct database queries without adequate parameterization, allowing attackers to inject malicious SQL syntax. This represents a classic injection weakness (CWE-89) where attacker-controlled input reaches the database interpreter.

Defensive priority

medium

Recommended defensive actions

• Review and restrict database query construction in SearchUserTopUps and SearchAllTopUps functions to use parameterized queries or prepared statements
• Apply input validation and sanitization for all user-supplied parameters processed by the top-up search endpoints
• Monitor database query logs for anomalous patterns indicative of SQL injection attempts
• Consider network segmentation to limit database exposure if immediate patching is unavailable
• Evaluate upgrade paths to versions beyond 0.12.1 when vendor patches become available

Evidence notes

Vulnerability identified through code analysis of the self endpoint component. CWE-89 (SQL Injection) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) are the primary weakness classifications. The CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and no user interaction needed.

Official resources