CVE-2026-42339: New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. In versions 0.1
highvulnerabilityLLM-Specific
security
Summary
New API, an LLM gateway and AI asset management system, has a vulnerability in versions 0.11.9-alpha.1 and earlier where its SSRF protection (safeguards against server-side request forgery, where an attacker tricks a server into making unintended web requests) fails to block the address 0.0.0.0. Any user with a valid API token can exploit this by sending requests with 0.0.0.0 as the image URL, causing the server to make requests to localhost (its own system) and potentially leak sensitive data when using certain AWS configurations.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
May 8, 2026
Classification
Attack Type
RAG Poisoning
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Amazon
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-42339
First tracked: May 9, 2026 at 02:12 AM
Classified by LLM (prompt v3) · confidence: 92%