Server-Side Request Forgery Vulnerability in New API by QuantumNous
CVE-2026-42339

7.1HIGH

Key Information:

Vendor: Quantumnous
Status: New-api
Vendor: CVE Published:; 8 May 2026

🔔 Create Quantumnous Vulnerability Alert

What is CVE-2026-42339?

The New API by QuantumNous is susceptible to a Server-Side Request Forgery vulnerability in versions 0.11.9-alpha.1 and earlier. This flaw arises from insufficient SSRF protection that fails to block requests routed to the address 0.0.0.0. Regular users with valid API tokens can exploit this by sending multimodal requests to specific endpoints, allowing them to bypass private-IP filters. This can lead to the server issuing HTTP requests to localhost, and when integrated with AWS/Bedrock Claude adaptor, even escalates into the ability to read sensitive server-side content. At the time of this advisory, no patches are available to mitigate this vulnerability.

Affected Version(s)

new-api <= 0.11.9-alpha.1

References

https://github.com/QuantumNous/new-api/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42339 Data

JSON