CVE-2026-42339: New API LLM Gateway SSRF Vulnerability

CVE-2026-42339 Overview

CVE-2026-42339 is a Server-Side Request Forgery (SSRF) vulnerability in New API, a large language model (LLM) gateway and AI asset management system. The flaw affects versions 0.11.9-alpha.1 and prior. The SSRF protection added in v0.9.0.5 (CVE-2025-59146) and hardened in v0.9.6 (CVE-2025-62155) fails to block the unspecified address 0.0.0.0. Any authenticated user with a valid API token can send a multimodal request that forces the server to issue HTTP requests to localhost. The weakness is classified under CWE-918.

Critical Impact

Authenticated low-privilege users can pivot from blind SSRF to full-read SSRF against internal services when requests route through the AWS/Bedrock Claude adaptor. No patch is available at publication.

Affected Products

• New API (QuantumNous/new-api) versions 0.11.9-alpha.1 and prior
• Deployments using the AWS/Bedrock Claude adaptor (full-read SSRF impact)
• Any New API instance exposing /v1/chat/completions, /v1/responses, or /v1/messages

Discovery Timeline

• 2026-05-08 - CVE-2026-42339 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-42339

Vulnerability Analysis

The vulnerability resides in the SSRF protection logic that filters image and file URL hosts in multimodal requests. Prior advisories (CVE-2025-59146 and CVE-2025-62155) introduced and then hardened a private-IP block list. However, the filter does not include the unspecified IPv4 address 0.0.0.0. On most operating systems, 0.0.0.0 resolves to the local host when used as a destination, granting access to services bound to loopback or listening on all interfaces.

An attacker with a regular API token submits a multimodal request to /v1/chat/completions, /v1/responses, or /v1/messages. The image or file URL specifies 0.0.0.0 as the host. The gateway fetches the URL server-side, contacting internal services that should not be reachable from external clients. When the request is processed through the AWS/Bedrock Claude adaptor, the fetched response body is inlined into the model output, returning internal content directly to the attacker.

Root Cause

The URL host validator enumerates private and loopback ranges but omits 0.0.0.0 from the deny list. This incomplete block list allows the unspecified address to bypass the filter while still resolving to local services on the host.

Attack Vector

The attack requires network access to the New API HTTP endpoints and a valid (non-admin) API token. The attacker crafts a JSON payload that references an image or file at http://0.0.0.0:<port>/<path>. The server issues the outbound HTTP request from its own network namespace, reaching cloud metadata services, internal admin panels, or other loopback-bound applications. With the Bedrock Claude adaptor, retrieved bytes are echoed inside the model response, converting blind SSRF into a readable channel.

Detection Methods for CVE-2026-42339

Indicators of Compromise

• Outbound HTTP requests from the New API process to 0.0.0.0, 127.0.0.1, or other loopback destinations
• Multimodal request payloads to /v1/chat/completions, /v1/responses, or /v1/messages containing image or file URLs with host 0.0.0.0
• Model responses containing content matching internal service banners, metadata service JSON, or local file contents

Detection Strategies

• Inspect HTTP access logs and reverse proxy logs for request bodies referencing 0.0.0.0 as a URL host
• Monitor egress and loopback connections originating from the New API service process for anomalous internal destinations
• Correlate API token identifiers with multimodal requests targeting non-public URL hosts to identify low-privilege abuse

Monitoring Recommendations

• Enable verbose request logging for multimodal endpoints and ship logs to a central SIEM for retention and search
• Alert on any server-side fetch where the resolved destination is loopback, link-local, or cloud metadata (169.254.169.254)
• Track usage patterns per API token and flag accounts issuing repeated multimodal requests with unusual URL hosts

How to Mitigate CVE-2026-42339

Immediate Actions Required

• Restrict access to the New API service so that only trusted users can obtain or use API tokens until a patch is released
• Block egress from the New API host to loopback, link-local, and internal management subnets at the network or container level
• Disable or restrict the AWS/Bedrock Claude adaptor to prevent escalation from blind SSRF to full-read SSRF
• Rotate any secrets, cloud credentials, or tokens that may have been retrievable via internal HTTP endpoints reachable from the gateway host

Patch Information

At the time of publication, no official patch is available. Track the GitHub Security Advisory GHSA-v5c3-6wvc-pc2q for updates from the maintainers.

Workarounds

• Deploy a forward proxy or egress firewall that denies connections to 0.0.0.0, 127.0.0.0/8, 169.254.0.0/16, and RFC1918 ranges from the New API service
• Run the New API container in a network namespace with no route to loopback-exposed administrative services on the host
• Add an upstream Web Application Firewall (WAF) rule that rejects multimodal requests whose image or file URLs contain 0.0.0.0 as the host component

# Example WAF rule fragment to block 0.0.0.0 hosts in multimodal payloads
SecRule REQUEST_URI "@rx ^/v1/(chat/completions|responses|messages)$" \
    "id:1042339,phase:2,deny,status:400,\
     msg:'Block SSRF via 0.0.0.0 host (CVE-2026-42339)',\
     chain"
  SecRule REQUEST_BODY "@rx \"(image_url|url|file)\"\\s*:\\s*\"https?://0\\.0\\.0\\.0" \
    "t:none,t:lowercase"