Back to overview

CVE-2026-33655

HIGH
7.7
CVSS 3.1
Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/block rules but did not resolve a hostname and validate the resolved IP address, allowing authenticated users to configure Webhook, Bark, or Gotify notification URLs that point at an internal or metadata IP address. This issue is fixed in version 0.12.0-alpha.1.

Metadata

CVE ID
CVE-2026-33655
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-03-23 15:23 UTC
Published
2026-07-09 22:28 UTC
Last updated
2026-07-09 22:28 UTC
Primary CWE
CWE-918
CWE-918: Server-Side Request Forgery (SSRF)
Vendor / Product
QuantumNous / new-api
Sources
cve.org  ·  NVD

Severity & Metrics

7.7 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
QuantumNous new-api < 0.12.0-alpha.1
Weakness (CWE)
CWESourceDescription
CWE-918 cna CWE-918: Server-Side Request Forgery (SSRF)
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.7 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
References (3)
Back to overview