CVE-2026-42339
Severity CVSS v4.0:
HIGH
Type:
CWE-918
Server-Side Request Forgery (SSRF)
Publication date:
08/05/2026
Last modified:
18/05/2026
Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 (CVE-2025-59146) and hardened in v0.9.6 (CVE-2025-62155) does not block the unspecified address 0.0.0.0. A regular (non-admin) user holding any valid API token can send a multimodal request to /v1/chat/completions, /v1/responses, or /v1/messages with 0.0.0.0 as the image/file URL host, bypassing the private-IP filter and causing the server to issue HTTP requests to localhost. This constitutes at minimum a blind SSRF; when the request is routed through an AWS/Bedrock Claude adaptor, the fetched content is inlined into the model response, upgrading it to a full-read SSRF. At time of publication, there are no publicly available patches.
Impact
Base Score 4.0
7.10
Severity 4.0
HIGH
Base Score 3.x
7.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:newapi:new_api:*:*:*:*:*:*:*:* | 0.11.9 (excluding) | |
| cpe:2.3:a:newapi:new_api:0.11.9:alpha1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page



