HIGH
Newapi
CVE published 2026-05-08
CVE-2026-42339
CVE-2026-42339 describes an SSRF weakness in New API where the private-IP protection fails to block the unspecified address 0.0.0.0. An authenticated, non-admin user with any valid API token can submit a multimodal request to /v1/chat/completions, /v1/responses, or /v1/messages using 0.0.0.0 as an image or file URL host, causing the server to make requests to localhost. In the baseline case this is a blin [truncated]