AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-30886: New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to versio

mediumvulnerabilityLLM-Specific

security

Source: NVD/CVE DatabaseMarch 23, 2026CVE-2026-30886

Summary

New API, an LLM (large language model) gateway and AI asset management system, had a vulnerability before version 0.11.4-alpha.2 that allowed any logged-in user to view videos belonging to other users through the video proxy endpoint. The problem was an IDOR vulnerability (insecure direct object reference, a flaw where the system doesn't check if a user owns the data they're requesting), caused by a function that checked only the video ID without verifying the user owned it.

Solution / Mitigation

Update to version 0.11.4-alpha.2 or later, which contains a patch addressing this vulnerability.

Vulnerability Details

CVSS Score

6.5(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

network

Attack Complexity

low

Privileges Required

low

User Interaction

none

Disclosure Date

March 23, 2026

Classification

Attack Type

Data Extraction

Attack SophisticationTrivial

Impact (CIA+S)

confidentialityintegrity

Taxonomy References

CWE (Weakness Type)

CWE-639

Affected Vendors

GoogleOpenAI

Related Issues

high

Anthropic accuses Chinese AI labs of mining Claude as US debates AI chip exports

Same vendorTechCrunch

critical

CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive

Similar attackNVD/CVE Database

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-30886

First tracked: March 23, 2026 at 08:07 PM

Classified by LLM (prompt v3) · confidence: 92%