Home

Description

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/block rules but did not resolve a hostname and validate the resolved IP address, allowing authenticated users to configure Webhook, Bark, or Gotify notification URLs that point at an internal or metadata IP address. This issue is fixed in version 0.12.0-alpha.1.

PUBLISHED Reserved 2026-03-23 | Published 2026-07-09 | Updated 2026-07-10 | Assigner GitHub_M




HIGH: 7.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

< 0.12.0-alpha.1
affected

References

github.com/...ew-api/security/advisories/GHSA-6qcr-qxgr-m7fv

github.com/...ommit/20399d3c8fcb4e3649d53163eb11940fd6763743

github.com/QuantumNous/new-api/releases/tag/v0.12.0-alpha.1

cve.org (CVE-2026-33655)

nvd.nist.gov (CVE-2026-33655)

Download JSON