A vulnerability was discovered in the New API large language mode (LLM) gateway and artificial intelligence (AI) asset management system, prior to version 0.12.0-alpha.1. The email and WeChat account binding endpoints, GET /api/oauth/email/bind and GET /api/oauth/wechat/bind, used GET requests for state-changing account operations. This allowed an attacker to trigger a logged-in user's browser to bind an [truncated]
CVE-2026-33655 is a high-severity SSRF vulnerability in an AI asset management system. Prior to version 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames. With ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/block rules but did not resolve a hostname and validate the resolved IP address. This allowed authenticated users to con [truncated]
A low-severity authorization bypass vulnerability affects QuantumNous new-api versions up to 0.12.1. The flaw resides in the RelayMidjourneyImage/GetByOnlyMJId function within router/relay-router.go, specifically at the Midjourney Image Relay Endpoint. Successful exploitation allows remote attackers to bypass authorization controls, though the attack requires high complexity and is considered difficult to [truncated]
A SQL injection vulnerability exists in QuantumNous new-api versions up to 0.12.1. The vulnerability is located in the SearchUserTopUps and SearchAllTopUps functions within model/topup.go. An authenticated attacker with low privileges can exploit this remotely to manipulate database queries. The CVSS 4.0 score of 2.1 reflects limited impact scope, though the public availability of exploit information incr [truncated]
New API is an LLM gateway and AI asset management system. Prior to version 0.12.10, the Stripe webhook handler fails to properly validate webhook event authenticity, allowing unauthenticated attackers to forge webhook events and credit arbitrary quota to their accounts without payment. The vulnerability stems from insufficient verification of webhook signatures (CWE-345: Insufficient Verification of Data [truncated]