Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 (CVE-2025-59146) and hardened in v0.9.6 (CVE-2025-62155) does not block the unspecified address 0.0.0.0. A regular (non-admin) user holding any valid API token can send a multimodal request to /v1/chat/completions, /v1/responses, or /v1/messages with 0.0.0.0 as the image/file URL host, bypassing the private-IP filter and causing the server to issue HTTP requests to localhost. This constitutes at minimum a blind SSRF; when the request is routed through an AWS/Bedrock Claude adaptor, the fetched content is inlined into the model response, upgrading it to a full-read SSRF. At time of publication, there are no publicly available patches.
Published: 2026-05-08
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a blind Server Side Request Forgery that exists in QuantumNous New API versions 0.11.9‑alpha.1 and earlier. A non‑administrative user who has a valid API token can submit a multimodal request to the /v1/chat/completions, /v1/responses, or /v1/messages endpoints and specify the image or file URL host as 0.0.0.0. The code that was intended to block requests to private addresses fails to reject this unspecified address, permitting the server to perform HTTP requests to localhost. When the request is processed through an AWS or Bedrock Claude adaptor, the retrieved content is inserted into the LLM response, effectively turning the blind SSRF into a full‑read SSRF that can expose internal data or code.

Affected Systems

The affected product is QuantumNous New API, specifically all releases up to and including 0.11.9‑alpha.1. The fix that hardened the SSRF protection was introduced in v0.9.0.5 and further strengthened in v0.9.6, but the 0.0.0.0 bypass remains present. No publicly available patches exist as of the advisory date. Systems using the affected OpenAI‑compatible endpoints with multimodal input are at risk.

Risk and Exploitability

With a CVSS score of 7.1, the vulnerability presents moderate to high severity. No EPSS score is available, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is via authenticated API calls: an attacker with a valid token can trigger the SSRF. If the request is routed through an AWS/Bedrock adapter, the attack can lead to internal data leakage or code execution, raising the urgency of preventive measures.

Generated by OpenCVE AI on May 8, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch as soon as it is released to fully eliminate the SSRF filter bypass.
  • Until a patch is available, restrict the API to non‑admin users or additional IP‑level filtering so that requests containing 0.0.0.0 or localhost are rejected by your infrastructure.
  • Monitor API logs for requests to /v1/chat/completions, /v1/responses, or /v1/messages that include the 0.0.0.0 host and investigate any anomalous activity.

Generated by OpenCVE AI on May 8, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v5c3-6wvc-pc2q QuantumNous/new-api has an SSRF Filter Bypass via 0.0.0.0
History

Sat, 09 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Quantumnous
Quantumnous new-api
Vendors & Products Quantumnous
Quantumnous new-api

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 (CVE-2025-59146) and hardened in v0.9.6 (CVE-2025-62155) does not block the unspecified address 0.0.0.0. A regular (non-admin) user holding any valid API token can send a multimodal request to /v1/chat/completions, /v1/responses, or /v1/messages with 0.0.0.0 as the image/file URL host, bypassing the private-IP filter and causing the server to issue HTTP requests to localhost. This constitutes at minimum a blind SSRF; when the request is routed through an AWS/Bedrock Claude adaptor, the fetched content is inlined into the model response, upgrading it to a full-read SSRF. At time of publication, there are no publicly available patches.
Title New API: SSRF Filter Bypass via 0.0.0.0
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Quantumnous New-api
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T22:21:53.902Z

Reserved: 2026-04-26T13:26:14.514Z

Link: CVE-2026-42339

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T23:16:36.917

Modified: 2026-05-08T23:16:36.917

Link: CVE-2026-42339

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:45:20Z

Weaknesses