CVE-2026-42339: CWE-918: Server-Side Request Forgery (SSRF) in QuantumNous new-api
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 (CVE-2025-59146) and hardened in v0.9.6 (CVE-2025-62155) does not block the unspecified address 0.0.0.0. A regular (non-admin) user holding any valid API token can send a multimodal request to /v1/chat/completions, /v1/responses, or /v1/messages with 0.0.0.0 as the image/file URL host, bypassing the private-IP filter and causing the server to issue HTTP requests to localhost. This constitutes at minimum a blind SSRF; when the request is routed through an AWS/Bedrock Claude adaptor, the fetched content is inlined into the model response, upgrading it to a full-read SSRF. At time of publication, there are no publicly available patches.
AI Analysis
Technical Summary
QuantumNous new-api, an LLM gateway and AI asset management system, suffers from an SSRF vulnerability (CWE-918) in versions up to 0.11.9-alpha.1. The SSRF protections introduced in earlier versions fail to block the unspecified IP 0.0.0.0, enabling non-admin users with valid API tokens to send multimodal requests to certain endpoints with 0.0.0.0 as the image or file URL host. This bypasses private IP filters and causes the server to issue HTTP requests to localhost. When these requests are routed through an AWS/Bedrock Claude adaptor, the fetched content is embedded into the model response, effectively allowing full-read SSRF. The vulnerability is rated high severity with a CVSS 4.0 score of 7.1. The product is cloud-hosted, and no public patches are currently available.
Potential Impact
An attacker with any valid API token can exploit this SSRF vulnerability to make the server issue HTTP requests to localhost, bypassing private IP filters. This can lead to blind SSRF attacks and, when combined with the AWS/Bedrock Claude adaptor, full-read SSRF where fetched content is inlined into model responses. This could expose internal services or sensitive data accessible from localhost. No known exploits are reported in the wild at this time.
Mitigation Recommendations
As this is a cloud-hosted service, the vendor typically manages remediation server-side. At the time of publication, no public patches are available. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is confirmed, restrict API token distribution and monitor for unusual request patterns involving 0.0.0.0 in URLs if possible.
CVE-2026-42339: CWE-918: Server-Side Request Forgery (SSRF) in QuantumNous new-api
Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 (CVE-2025-59146) and hardened in v0.9.6 (CVE-2025-62155) does not block the unspecified address 0.0.0.0. A regular (non-admin) user holding any valid API token can send a multimodal request to /v1/chat/completions, /v1/responses, or /v1/messages with 0.0.0.0 as the image/file URL host, bypassing the private-IP filter and causing the server to issue HTTP requests to localhost. This constitutes at minimum a blind SSRF; when the request is routed through an AWS/Bedrock Claude adaptor, the fetched content is inlined into the model response, upgrading it to a full-read SSRF. At time of publication, there are no publicly available patches.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
QuantumNous new-api, an LLM gateway and AI asset management system, suffers from an SSRF vulnerability (CWE-918) in versions up to 0.11.9-alpha.1. The SSRF protections introduced in earlier versions fail to block the unspecified IP 0.0.0.0, enabling non-admin users with valid API tokens to send multimodal requests to certain endpoints with 0.0.0.0 as the image or file URL host. This bypasses private IP filters and causes the server to issue HTTP requests to localhost. When these requests are routed through an AWS/Bedrock Claude adaptor, the fetched content is embedded into the model response, effectively allowing full-read SSRF. The vulnerability is rated high severity with a CVSS 4.0 score of 7.1. The product is cloud-hosted, and no public patches are currently available.
Potential Impact
An attacker with any valid API token can exploit this SSRF vulnerability to make the server issue HTTP requests to localhost, bypassing private IP filters. This can lead to blind SSRF attacks and, when combined with the AWS/Bedrock Claude adaptor, full-read SSRF where fetched content is inlined into model responses. This could expose internal services or sensitive data accessible from localhost. No known exploits are reported in the wild at this time.
Mitigation Recommendations
As this is a cloud-hosted service, the vendor typically manages remediation server-side. At the time of publication, no public patches are available. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is confirmed, restrict API token distribution and monitor for unusual request patterns involving 0.0.0.0 in URLs if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T13:26:14.514Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69fe68edcbff5d861039d871
Added to database: 5/8/2026, 10:51:25 PM
Last enriched: 5/8/2026, 11:07:04 PM
Last updated: 5/9/2026, 6:05:10 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.