QuantumNous new-api Authorization Bypass Vulnerability in Midjourney Image Relay Endpoint

An authorization bypass vulnerability has been identified in QuantumNous new-api versions through 0.12.1. The issue arises in the Midjourney Image Relay Endpoint, specifically within the RelayMidjourneyImage function of the router/relay-router.go file. The vulnerability allows unauthenticated users to access and retrieve images belonging to other users by exploiting the endpoint '/mj/image/:id'. This is possible because the endpoint lacks proper authentication and object-level authorization, enabling cross-user image disclosure.

Impact

Exploitation of this vulnerability allows unauthorized access to Midjourney images belonging to other users, breaking cross-tenant data isolation and potentially exposing sensitive visual content.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/mj/image/:id' endpoint without an authentication token. The request must include a valid 'mj_id' that belongs to another user. The server will respond with the requested image, bypassing authorization checks.