PT-2026-56211 · Go+1 · Github.Com/Quantumnous/New-Api+1

Published

2026-07-07

·

Updated

2026-07-09

·

CVE-2026-33655

CVSS v3.1

7.7

High

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions New API versions prior to 0.12.0-alpha.1
Description An issue exists where the default Server-Side Request Forgery (SSRF) protection configuration fails to apply IP filtering to hostnames. Because the ApplyIPFilterForDomain setting is disabled by default, URL validation only checks domain allow/block rules without resolving the hostname to validate the resulting IP address. This allows authenticated users to configure notification URLs for Webhook, Bark, or Gotify that point to internal or metadata IP addresses, potentially causing the server to send requests to internal HTTP services and exposing sensitive data through timing, errors, or response-dependent behavior.
Recommendations Update to version 0.12.0-alpha.1. As a temporary workaround, explicitly enable the ApplyIPFilterForDomain setting. Restrict notification URL domains using an allowlist. Disable user-configurable notification URLs where practical. Enforce outbound network filtering at the host or network layer.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-33655
GHSA-6QCR-QXGR-M7FV

Affected Products

Github.Com/Quantumnous/New-Api
New Api