CVE-2026-42339
Received Received - Intake
Server-Side Request Forgery in New API AI Gateway

Publication date: 2026-05-08

Last updated on: 2026-05-18

Assigner: GitHub, Inc.

Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 (CVE-2025-59146) and hardened in v0.9.6 (CVE-2025-62155) does not block the unspecified address 0.0.0.0. A regular (non-admin) user holding any valid API token can send a multimodal request to /v1/chat/completions, /v1/responses, or /v1/messages with 0.0.0.0 as the image/file URL host, bypassing the private-IP filter and causing the server to issue HTTP requests to localhost. This constitutes at minimum a blind SSRF; when the request is routed through an AWS/Bedrock Claude adaptor, the fetched content is inlined into the model response, upgrading it to a full-read SSRF. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-18
Generated
2026-05-29
AI Q&A
2026-05-09
EPSS Evaluated
2026-05-28
NVD
CVE-2026-42339
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
newapi new_api 0.11.9
newapi new_api to 0.11.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects the New API, a large language model gateway and AI asset management system. In versions 0.11.9-alpha.1 and earlier, the SSRF (Server-Side Request Forgery) protection does not block the unspecified address 0.0.0.0. This means that any regular user with a valid API token can send requests to certain endpoints using 0.0.0.0 as the image or file URL host, bypassing the private IP filter.

As a result, the server issues HTTP requests to localhost, which can lead to a blind SSRF attack. When the request is routed through an AWS/Bedrock Claude adaptor, the fetched content is included in the model response, escalating the issue to a full-read SSRF.

At the time of publication, no public patches are available to fix this vulnerability.


How can this vulnerability impact me? :

This vulnerability allows an attacker with a valid API token to bypass private IP filters and make the server send HTTP requests to localhost. This can lead to unauthorized access to internal services or data that are not normally exposed externally.

In cases where the request is routed through an AWS/Bedrock Claude adaptor, the attacker can retrieve and inline sensitive content into the model's response, potentially exposing confidential information.

Overall, this can result in data leakage, unauthorized internal network access, and compromise of system integrity.


What immediate steps should I take to mitigate this vulnerability?

At the time of publication, there are no publicly available patches for this vulnerability.

Since the vulnerability allows non-admin users with valid API tokens to bypass SSRF protections by using 0.0.0.0 as the image/file URL host, immediate mitigation steps could include restricting API token issuance, monitoring API usage for suspicious multimodal requests to the affected endpoints (/v1/chat/completions, /v1/responses, /v1/messages), and limiting network access to localhost from the server handling these requests.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart