Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30886 is an Insecure Direct Object Reference (IDOR) vulnerability in the new API's video proxy endpoint (`GET /v1/videos/:task_id/content`). This vulnerability allows any authenticated user to access video content belonging to other users if they know the victim's task_id."}, {'type': 'paragraph', 'content': 'The root cause is that the API fetches tasks using only the task_id without verifying that the requesting user owns the task. The vulnerable code uses a function that queries the database by task_id alone, missing an ownership check that is present elsewhere in the codebase.'}, {'type': 'paragraph', 'content': "Because of this missing authorization check, an attacker with a valid token and knowledge of another user's task_id can retrieve that user's video content and cause the server to authenticate to upstream AI providers using credentials derived from tasks they do not own."}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to video content belonging to other users, violating tenant isolation and confidentiality.

An attacker can retrieve sensitive video data by exploiting the missing ownership check, potentially exposing private or confidential information.

Additionally, the server may authenticate to upstream AI providers (such as Google Gemini or OpenAI) using credentials from tasks the attacker does not own, which could lead to unintended use or exposure of those credentials.

The vulnerability has a CVSS v3.1 base score of 6.5, indicating a medium severity with high confidentiality impact but no impact on integrity or availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access video content of other users using an authenticated token and a known task_id that does not belong to the authenticated user.'}, {'type': 'paragraph', 'content': "A proof of concept command to test for this vulnerability is to send an authenticated HTTP GET request to the vulnerable endpoint with a victim's task_id:"}, {'type': 'list_item', 'content': 'curl -o stolen_video.mp4 "https://<instance>/v1/videos/<victim_task_id>/content" -H "Authorization: Bearer sk-<attacker_token>"'}, {'type': 'paragraph', 'content': 'If the request returns HTTP 200 OK and the video content belonging to the victim, the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': "The immediate mitigation step is to update the video proxy endpoint to enforce ownership checks by including the authenticated user's ID when querying tasks."}, {'type': 'paragraph', 'content': 'Specifically, replace the vulnerable task lookup function call from querying by task_id alone to querying by both user_id and task_id.'}, {'type': 'list_item', 'content': 'Change from: model.GetByOnlyTaskId(taskID)'}, {'type': 'list_item', 'content': 'To: userId := c.GetInt("id") followed by model.GetByTaskId(userId, taskID)'}, {'type': 'paragraph', 'content': 'This patch is included starting from version 0.11.4-alpha.2 of the new-api.'}, {'type': 'paragraph', 'content': 'Applying the official patch or upgrading to version 0.11.4-alpha.2 or later will mitigate the vulnerability.'}] [1, 2]

Useful 0 Not Useful 0