๐Ÿ” CVE Alert

CVE-2026-33655

HIGH 7.7

New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs

CVSS Score
7.7
EPSS Score
0.4%
EPSS Percentile
35th

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/block rules but did not resolve a hostname and validate the resolved IP address, allowing authenticated users to configure Webhook, Bark, or Gotify notification URLs that point at an internal or metadata IP address. This issue is fixed in version 0.12.0-alpha.1.

CWE CWE-918
Vendor quantumnous
Product new-api
Published Jul 9, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for quantumnous new-api

Be the first to know when new high vulnerabilities affecting quantumnous new-api are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

QuantumNous / new-api
< 0.12.0-alpha.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/QuantumNous/new-api/security/advisories/GHSA-6qcr-qxgr-m7fv github.com: https://github.com/QuantumNous/new-api/commit/20399d3c8fcb4e3649d53163eb11940fd6763743 github.com: https://github.com/QuantumNous/new-api/releases/tag/v0.12.0-alpha.1