QuantumNous new-api, an AI asset management and large language model gateway system, suffers from a SQL LIKE wildcard injection vulnerability identified as CVE-2026-25591. The flaw exists in the /api/token/search endpoint, which accepts user-supplied 'keyword' and 'token' parameters concatenated directly into SQL LIKE clauses without escaping special wildcard characters such as '%' and '_'. This improper neutralization (CWE-943) enables authenticated users to inject crafted patterns that cause the database to execute highly expensive queries. These queries can exhaust server resources, resulting in denial of service conditions. The vulnerability requires authentication but no additional user interaction, and it does not compromise confidentiality or integrity directly. The issue affects all versions prior to 0.10.8-alpha.10, where a patch was introduced to properly escape or sanitize input parameters to prevent wildcard injection. Although no exploits are currently known in the wild, the vulnerability's nature and ease of exploitation make it a significant risk for service availability in affected deployments.

The primary impact of CVE-2026-25591 is denial of service through resource exhaustion on the database and application servers hosting QuantumNous new-api. Attackers with valid credentials can degrade or completely disrupt service availability by submitting malicious search patterns that trigger expensive SQL LIKE queries. This can lead to downtime, degraded performance, and potential cascading effects on dependent AI asset management workflows and LLM gateway operations. Organizations relying on new-api for critical AI infrastructure may face operational interruptions, loss of productivity, and reputational damage. Since the vulnerability does not expose data confidentiality or integrity directly, the impact is focused on availability. However, prolonged denial of service could indirectly affect business continuity and incident response resources.

To mitigate CVE-2026-25591, organizations should immediately upgrade QuantumNous new-api to version 0.10.8-alpha.10 or later, where the vulnerability is patched. If upgrading is not immediately feasible, implement input validation and sanitization on the 'keyword' and 'token' parameters to escape or reject SQL wildcard characters ('%', '_') before they reach the database layer. Employ rate limiting and monitoring on the /api/token/search endpoint to detect and block abnormal query patterns indicative of abuse. Restrict access to the token search functionality to only trusted and necessary users to reduce attack surface. Additionally, consider deploying database query timeouts and resource usage limits to prevent excessive resource consumption from malicious queries. Regularly audit logs for unusual search activity and maintain an incident response plan for denial of service events.