CVE-2026-25591

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-25591
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.10, a SQL LIKE wildcard injection vulnerability in the `/api/token/search` endpoint allows authenticated users to cause denial of service through resource exhaustion by crafting malicious search patterns. The token search endpoint accepts user-supplied `keyword` and `token` parameters that are directly concatenated into SQL LIKE clauses without escaping wildcard characters (`%`, `_`). This allows attackers to inject patterns that trigger expensive database queries. Version 0.10.8-alpha.10 contains a patch.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/QuantumNous/new-api/commit/3e1be18310f35d20742683ca9e4bf3bcafc173c5 Patch
https://github.com/QuantumNous/new-api/releases/tag/v0.10.8-alpha.10 Product
https://github.com/QuantumNous/new-api/security/advisories/GHSA-w6x6-9fp7-fqm4 Exploit Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:newapi:new_api:*:*:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha1:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha2:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha3:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha4:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha5:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha6:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha7:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha8:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha9:*:*:*:*:*:*
History

03 Mar 2026, 17:22

Type Values Removed Values Added
CPE cpe:2.3:a:newapi:new_api:0.10.8:alpha3:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha4:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha6:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha8:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha1:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha2:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha5:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:*:*:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha9:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha7:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5
Summary
  • (es) La nueva API es un portal de modo de lenguaje grande (LLM) y un sistema de gestión de activos de inteligencia artificial (IA). Antes de la versión 0.10.8-alpha.10, una vulnerabilidad de inyección de comodines SQL LIKE en el endpoint '/api/token/search' permite a usuarios autenticados causar denegación de servicio a través del agotamiento de recursos al crear patrones de búsqueda maliciosos. El endpoint de búsqueda de tokens acepta parámetros 'keyword' y 'token' suministrados por el usuario que se concatenan directamente en cláusulas SQL LIKE sin escapar caracteres comodín ('%', '_'). Esto permite a los atacantes inyectar patrones que desencadenan consultas costosas a la base de datos. La versión 0.10.8-alpha.10 contiene un parche.
References () https://github.com/QuantumNous/new-api/commit/3e1be18310f35d20742683ca9e4bf3bcafc173c5 - () https://github.com/QuantumNous/new-api/commit/3e1be18310f35d20742683ca9e4bf3bcafc173c5 - Patch
References () https://github.com/QuantumNous/new-api/releases/tag/v0.10.8-alpha.10 - () https://github.com/QuantumNous/new-api/releases/tag/v0.10.8-alpha.10 - Product
References () https://github.com/QuantumNous/new-api/security/advisories/GHSA-w6x6-9fp7-fqm4 - () https://github.com/QuantumNous/new-api/security/advisories/GHSA-w6x6-9fp7-fqm4 - Exploit, Mitigation, Vendor Advisory
First Time Newapi
Newapi new Api

24 Feb 2026, 01:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-24 01:16

Updated : 2026-03-03 17:22

NVD link : CVE-2026-25591

Mitre link : CVE-2026-25591

CVE.ORG link : CVE-2026-25591

JSON object : View

Products Affected

newapi

  • new_api
CWE
CWE-943

Improper Neutralization of Special Elements in Data Query Logic