Large Language Model Gateway SSRF Vulnerability in New API by QuantumNous
CVE-2026-33655
What is CVE-2026-33655?
The New API, developed by QuantumNous, suffers from a Server-Side Request Forgery (SSRF) vulnerability that affects versions prior to 0.12.0-alpha.1. The vulnerability arises due to inadequate filtering of hostnames in the default SSRF protection configuration. Specifically, when the ApplyIPFilterForDomain option is disabled by default, URL validation only checks specific domain allow/block rules without resolving the hostname to validate the associated IP address. As a result, authenticated users are able to configure notification URLs (such as Webhook, Bark, or Gotify) that could point to internal IP addresses or metadata services, which creates a significant security risk. This issue has been addressed in version 0.12.0-alpha.1, where improved security measures have been implemented.
Affected Version(s)
new-api < 0.12.0-alpha.1
