CVE-2026-33655
QuantumNous · new-api
QuantumNous new-api is susceptible to Server-Side Request Forgery (SSRF), allowing an authenticated attacker to perform unauthorized requests from the application server.
Executive summary
A high-severity Server-Side Request Forgery vulnerability in the QuantumNous new-api LLM gateway poses a significant risk of unauthorized internal network interaction.
Vulnerability
This SSRF vulnerability exists within the application's request handling logic, which fails to properly validate user-supplied input. An authenticated user can leverage this flaw to force the server to interact with internal resources or unintended external destinations.
Business impact
The CVSS score of 7.7 highlights a significant risk, particularly due to the potential for bypassing network segmentation. Successful exploitation could allow an attacker to probe internal services, access sensitive cloud metadata, or interact with private APIs, potentially leading to a broader compromise of the organizational infrastructure.
Remediation
Immediate Action: Upgrade to version 0.12.0-alpha.1 or later immediately to apply the vendor-provided patch.
Proactive Monitoring: Review application and network logs for unusual outbound requests originating from the server hosting the new-api service.
Compensating Controls: Deploy a Web Application Firewall (WAF) with egress filtering rules to restrict the server's ability to communicate with unauthorized internal or external endpoints.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given that SSRF vulnerabilities in management systems can lead to full environmental compromise, immediate patching is required. Administrators should prioritize upgrading to version 0.12.0-alpha.1 to neutralize the attack vector.