CVE-2026-33655: New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/block rules but did not resolve a hostname and validate the resolved IP address, allowing authenticated users to configure Webhook, Bark, or Gotify notification URLs that point at an internal or metadata IP address. This issue is fixed in version 0.12.0-alpha.1.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-33655
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-336550.44% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 35% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-33655 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
Recent advisories for New API is
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- mediumCVE-2026-44342: New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset manageme…nvd · 2026-07-09
- mediumGHSA-26v7-h57m-gh9m: New API is vulnerable to CSRF through user email bindingghsa · 2026-07-07
- highGHSA-6qcr-qxgr-m7fv: New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLsghsa · 2026-07-07
- low[NEW] [low] WSO2 API Manager: Vulnerability allows information disclosurecert-bund · 2026-07-06
More from NVD Recent CVEs
- lowCVE-2026-61870: ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the VIFF encoder when memo…2026-07-11
- lowCVE-2026-61861: ImageMagick before 7.1.2-26 contains a use-after-free vulnerability in the FormatMagickCaption…2026-07-11
- lowCVE-2026-61858: ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and ext…2026-07-11
- lowCVE-2026-61857: ImageMagick before 7.1.2-26 contains a heap use-after-free vulnerability caused by missing nul…2026-07-11
- lowCVE-2026-61465: ImageMagick before 7.1.2-26 and 6.9.13-51 is missing a check for the allowed memory allocation…2026-07-11