PT-2026-56211 · Go+1 · Github.Com/Quantumnous/New-Api+1
Published
2026-07-07
·
Updated
2026-07-09
·
CVE-2026-33655
CVSS v3.1
7.7
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
New API versions prior to 0.12.0-alpha.1
Description
An issue exists where the default Server-Side Request Forgery (SSRF) protection configuration fails to apply IP filtering to hostnames. Because the
ApplyIPFilterForDomain setting is disabled by default, URL validation only checks domain allow/block rules without resolving the hostname to validate the resulting IP address. This allows authenticated users to configure notification URLs for Webhook, Bark, or Gotify that point to internal or metadata IP addresses, potentially causing the server to send requests to internal HTTP services and exposing sensitive data through timing, errors, or response-dependent behavior.Recommendations
Update to version 0.12.0-alpha.1.
As a temporary workaround, explicitly enable the
ApplyIPFilterForDomain setting.
Restrict notification URL domains using an allowlist.
Disable user-configurable notification URLs where practical.
Enforce outbound network filtering at the host or network layer.Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Quantumnous/New-Api
New Api