Large Language Model Gateway SSRF Vulnerability in New API by QuantumNous
CVE-2026-33655

7.7HIGH

Key Information:

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-33655?

The New API, developed by QuantumNous, suffers from a Server-Side Request Forgery (SSRF) vulnerability that affects versions prior to 0.12.0-alpha.1. The vulnerability arises due to inadequate filtering of hostnames in the default SSRF protection configuration. Specifically, when the ApplyIPFilterForDomain option is disabled by default, URL validation only checks specific domain allow/block rules without resolving the hostname to validate the associated IP address. As a result, authenticated users are able to configure notification URLs (such as Webhook, Bark, or Gotify) that could point to internal IP addresses or metadata services, which creates a significant security risk. This issue has been addressed in version 0.12.0-alpha.1, where improved security measures have been implemented.

Affected Version(s)

new-api < 0.12.0-alpha.1

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.