CVE-2026-33655

QuantumNous · new-api

QuantumNous new-api is susceptible to Server-Side Request Forgery (SSRF), allowing an authenticated attacker to perform unauthorized requests from the application server.

Executive summary

A high-severity Server-Side Request Forgery vulnerability in the QuantumNous new-api LLM gateway poses a significant risk of unauthorized internal network interaction.

Vulnerability

This SSRF vulnerability exists within the application's request handling logic, which fails to properly validate user-supplied input. An authenticated user can leverage this flaw to force the server to interact with internal resources or unintended external destinations.

Business impact

The CVSS score of 7.7 highlights a significant risk, particularly due to the potential for bypassing network segmentation. Successful exploitation could allow an attacker to probe internal services, access sensitive cloud metadata, or interact with private APIs, potentially leading to a broader compromise of the organizational infrastructure.

Remediation

Immediate Action: Upgrade to version 0.12.0-alpha.1 or later immediately to apply the vendor-provided patch.

Proactive Monitoring: Review application and network logs for unusual outbound requests originating from the server hosting the new-api service.

Compensating Controls: Deploy a Web Application Firewall (WAF) with egress filtering rules to restrict the server's ability to communicate with unauthorized internal or external endpoints.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given that SSRF vulnerabilities in management systems can lead to full environmental compromise, immediate patching is required. Administrators should prioritize upgrading to version 0.12.0-alpha.1 to neutralize the attack vector.