CVE-2026-42339— New API: SSRF Filter Bypass via 0.0.0.0
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42339
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
New API: SSRF Filter Bypass via 0.0.0.0
Source: NVD (National Vulnerability Database)
Vulnerability Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 (CVE-2025-59146) and hardened in v0.9.6 (CVE-2025-62155) does not block the unspecified address 0.0.0.0. A regular (non-admin) user holding any valid API token can send a multimodal request to /v1/chat/completions, /v1/responses, or /v1/messages with 0.0.0.0 as the image/file URL host, bypassing the private-IP filter and causing the server to issue HTTP requests to localhost. This constitutes at minimum a blind SSRF; when the request is routed through an AWS/Bedrock Claude adaptor, the fetched content is inlined into the model response, upgrading it to a full-read SSRF. At time of publication, there are no publicly available patches.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
New API 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
New API是QuantumNous开源的一个接口软件。 New API 0.11.9-alpha.1及之前版本存在代码问题漏洞,该漏洞源于SSRF保护未阻止未指定地址0.0.0.0,可能导致持有有效API令牌的用户绕过私有IP过滤器向本地主机发出HTTP请求。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| QuantumNous | new-api | <= 0.11.9-alpha.1 | - |
II. Public POCs for CVE-2026-42339
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42339
请登录查看更多情报信息。
- SSRF Filter Bypass via 0.0.0.0 · Advisory · QuantumNous/new-api · GitHubx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-42339
IV. Related Vulnerabilities
Same product: new-api
- CVE-2026-41432
New API: Stripe Webhook Signature Bypass via Empty Secret En - CVE-2026-32879
New API has passkey-based secure step-up verification bypass - CVE-2026-30886
New API: IDOR in VideoProxy allows cross-user video content - CVE-2026-25802
New API has Potential XSS in its MarkdownRenderer component - CVE-2026-25591
New API has an SQL LIKE Wildcard Injection DoS via Token Sea
Same vendor: QuantumNous
- CVE-2026-41432
New API: Stripe Webhook Signature Bypass via Empty Secret En - CVE-2026-32879
New API has passkey-based secure step-up verification bypass - CVE-2026-30886
New API: IDOR in VideoProxy allows cross-user video content - CVE-2026-25802
New API has Potential XSS in its MarkdownRenderer component - CVE-2026-25591
New API has an SQL LIKE Wildcard Injection DoS via Token Sea
Same weakness: CWE-918
- CVE-2026-8193
Akaunting Invoice PDF Rendering dompdf.php server-side reque - CVE-2026-44313
LinkWarden: Server-Side Request Forgery (SSRF) in Link Creat - CVE-2026-42352
pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processe - CVE-2026-42346
Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validatio - CVE-2026-44286
FastGPT: SSRF Vulnerability in Laf Workflow Node via Missing
V. Comments for CVE-2026-42339
No comments yet