CVE-2026-33655
HIGH
7.7
CVSS 3.1
Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/block rules but did not resolve a hostname and validate the resolved IP address, allowing authenticated users to configure Webhook, Bark, or Gotify notification URLs that point at an internal or metadata IP address. This issue is fixed in version 0.12.0-alpha.1.
Metadata
Severity & Metrics
7.7
HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| QuantumNous | new-api | — | < 0.12.0-alpha.1 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-918 | cna | CWE-918: Server-Side Request Forgery (SSRF) |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 7.7 | HIGH | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
References (3)
- https://github.com/QuantumNous/new-api/security/advisories/GHSA-6qcr-qxgr-m7fv https://github.com/QuantumNous/new-api/security/advisories/GHSA-6qcr-qxgr-m7fv
- https://github.com/QuantumNous/new-api/commit/20399d3c8fcb4e3649d53163eb11940fd6763743 https://github.com/QuantumNous/new-api/commit/20399d3c8fcb4e3649d53163eb11940fd6763743
- https://github.com/QuantumNous/new-api/releases/tag/v0.12.0-alpha.1 https://github.com/QuantumNous/new-api/releases/tag/v0.12.0-alpha.1