PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42339 Newapi CVE debrief

CVE-2026-42339 describes an SSRF weakness in New API where the private-IP protection fails to block the unspecified address 0.0.0.0. An authenticated, non-admin user with any valid API token can submit a multimodal request to /v1/chat/completions, /v1/responses, or /v1/messages using 0.0.0.0 as an image or file URL host, causing the server to make requests to localhost. In the baseline case this is a blind SSRF. The supplied advisory further notes that when traffic is routed through an AWS/Bedrock Claude adaptor, fetched content may be inlined into the model response, which can turn the issue into a full-read SSRF. The vulnerable range in the supplied NVD record is all versions before 0.11.9, including 0.11.9-alpha1. NVD also maps the issue to CWE-918 and rates it High with CVSS 7.1.

Vendor
Newapi
Product
New API
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-18
Advisory published
2026-05-08
Advisory updated
2026-05-18

Who should care

Operators of New API deployments, especially those exposing multimodal endpoints to authenticated users, should treat this as high priority. Teams using API tokens for non-admin access, and teams integrating New API with AWS/Bedrock Claude adaptors or other backends that may echo fetched content, have the most immediate exposure.

Technical summary

The issue is an SSRF filter bypass. New API’s SSRF defense, introduced in v0.9.0.5 and hardened in v0.9.6 per the supplied description, does not reject 0.0.0.0 as an internal/unsafe destination. That allows requests intended to be blocked from reaching localhost services. Because the request is made through standard multimodal ingestion paths, an authenticated user can trigger the server-side fetch without admin privileges. The supplied advisory indicates that adaptor-dependent response handling may expose the fetched resource content back to the caller, increasing impact from blind SSRF to readable SSRF in some deployments.

Defensive priority

High. This is an authenticated-network SSRF issue affecting request handling on externally reachable API endpoints, with possible localhost reachability and, in some configurations, data exfiltration of fetched content.

Recommended defensive actions

  • Review whether any New API instance is running a version earlier than 0.11.9 and treat it as vulnerable.
  • Restrict access to multimodal endpoints to trusted users only until a vendor fix is available.
  • Block or tightly control outbound server-side fetches from New API, especially requests resolving to localhost or other internal addresses.
  • Validate that SSRF protections reject 0.0.0.0 in addition to private IP ranges and loopback addresses.
  • If AWS/Bedrock Claude adaptor paths are enabled, assume the blast radius may include readable SSRF and review those integrations separately.
  • Monitor the vendor advisory and official CVE/NVD records for patch availability and remediation guidance.

Evidence notes

All factual claims are taken from the supplied CVE description and the provided NVD metadata. The description states that versions 0.11.9-alpha.1 and earlier are affected, that 0.0.0.0 bypasses the SSRF protection, that a regular user with a valid API token can trigger requests through multimodal endpoints, and that AWS/Bedrock Claude adaptor routing may expose fetched content in responses. The NVD metadata marks the weakness as CWE-918 and lists the vulnerable version range as all versions before 0.11.9, including 0.11.9-alpha1. The supplied source also indicates there were no publicly available patches at publication time.

Official resources

Published by the CVE program on 2026-05-08. The supplied description states that no publicly available patches were available at publication time.