CVE-2026-9306 QuantumNous CVE debrief

Who should care

Organizations running QuantumNous new-api versions ≤0.12.1 with exposed Midjourney integration endpoints; security teams monitoring for authorization bypass patterns in AI/ML API gateways.

Technical summary

The vulnerability exists in the Go-based new-api application's relay router component. The GetByOnlyMJId function fails to properly validate authorization before processing Midjourney image relay requests. The attack surface is network-accessible but requires complex manipulation to exploit. No integrity or availability impact is associated with successful exploitation.

Defensive priority

LOW

Recommended defensive actions

• Review and restrict access to the Midjourney Image Relay Endpoint in new-api deployments
• Apply authorization checks in the RelayMidjourneyImage/GetByOnlyMJId function path
• Monitor for unauthorized access attempts to /router/relay-router.go endpoints
• Upgrade to new-api version beyond 0.12.1 when a patched release becomes available
• Review application logs for anomalous Midjourney relay requests prior to 2026-05-23

Evidence notes

Vulnerability data sourced from NVD with Vuldb as CNA. CVSS 4.0 vector: AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P. NVD status is 'Deferred' as of 2026-05-26. Vendor identification is low-confidence based on reference domain analysis.

Official resources