{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/new-api--0.12.0-alpha.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["new-api (\u003c 0.12.0-alpha.1)"],"_cs_severities":["high"],"_cs_tags":["ssrf","api","vulnerability","bypass","web-application"],"_cs_type":"advisory","_cs_vendors":["QuantumNous"],"content_html":"\u003cp\u003eA significant vulnerability, CVE-2026-33655, has been identified in the QuantumNous \u003ccode\u003enew-api\u003c/code\u003e application, impacting all versions prior to \u003ccode\u003ev0.12.0-alpha.1\u003c/code\u003e. This Server-Side Request Forgery (SSRF) protection bypass allows authenticated users to interact with internal HTTP services that would otherwise be inaccessible. The flaw stems from a default configuration where \u003ccode\u003eApplyIPFilterForDomain\u003c/code\u003e is disabled, meaning the application fails to resolve hostnames in notification URLs (Webhook, Bark, Gotify) to their IP addresses before applying IP filtering rules. This oversight permits an attacker to specify a hostname that resolves to an internal or metadata IP address, causing the vulnerable server to initiate outbound connections to these sensitive internal targets. This capability can be leveraged for internal network reconnaissance and information disclosure, posing a substantial risk to affected deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Authenticated User)\u003c/strong\u003e: An attacker gains or compromises a legitimate user account within the vulnerable \u003ccode\u003enew-api\u003c/code\u003e application, as this vulnerability requires authenticated access to configure notification URLs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify Internal Targets\u003c/strong\u003e: The attacker identifies potential internal HTTP services or cloud metadata endpoints accessible from the \u003ccode\u003enew-api\u003c/code\u003e deployment network through reconnaissance or prior knowledge.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfigure Notification URL\u003c/strong\u003e: The authenticated attacker accesses the application's notification settings (e.g., Webhook, Bark, or Gotify) where custom URLs can be specified.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSSRF Payload Insertion\u003c/strong\u003e: The attacker crafts a notification URL containing an unresolved hostname (e.g., \u003ccode\u003elocalhost\u003c/code\u003e, \u003ccode\u003e169.254.169.254.nip.io\u003c/code\u003e or a custom hostname resolving to an internal IP) that points to the identified internal target.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eServer Initiates Request\u003c/strong\u003e: Upon a triggering event, the \u003ccode\u003enew-api\u003c/code\u003e application attempts to resolve the provided hostname and initiate an outbound connection for the notification.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIP Filtering Bypass\u003c/strong\u003e: Due to the default \u003ccode\u003eApplyIPFilterForDomain: false\u003c/code\u003e setting in affected versions, the application does not resolve the hostname to its IP address and compare it against the configured internal/metadata IP blocklist before making the connection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Network Interaction\u003c/strong\u003e: The \u003ccode\u003enew-api\u003c/code\u003e server proceeds to make a direct network request to the internal IP address or metadata endpoint disguised by the attacker's crafted hostname.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Disclosure\u003c/strong\u003e: The attacker observes the application's behavior (e.g., timing, error messages, or direct responses) to discover internal network topology, sensitive data, or credentials, potentially leading to further exploitation and unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33655 allows a regular authenticated user to bypass existing SSRF protections and compel the \u003ccode\u003enew-api\u003c/code\u003e server to initiate connections to internal HTTP services or cloud metadata APIs. Depending on the target environment, this can lead to significant information disclosure. Attackers can leverage timing analysis, error messages, or direct responses to map internal networks, enumerate services, or exfiltrate sensitive data such as API keys, cloud credentials, or private configuration details. While the advisory does not specify observed victim counts or sectors, any organization using affected \u003ccode\u003enew-api\u003c/code\u003e versions in an environment with accessible internal HTTP services is at risk of unauthorized data exposure and potential lateral movement.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to \u003ccode\u003enew-api\u003c/code\u003e version \u003ccode\u003ev0.12.0-alpha.1\u003c/code\u003e or later to address CVE-2026-33655.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not possible, explicitly enable \u003ccode\u003eApplyIPFilterForDomain: true\u003c/code\u003e in your \u003ccode\u003enew-api\u003c/code\u003e configuration to enforce hostname resolution and IP filtering.\u003c/li\u003e\n\u003cli\u003eImplement an allowlist for domains that can be used in notification URLs, restricting connectivity to only known, legitimate external services.\u003c/li\u003e\n\u003cli\u003eDisable user-configurable notification URLs within the \u003ccode\u003enew-api\u003c/code\u003e where practical, limiting the attack surface for this and similar vulnerabilities.\u003c/li\u003e\n\u003cli\u003eEnforce robust outbound network filtering at the host or network layer, blocking connections from the \u003ccode\u003enew-api\u003c/code\u003e server to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.169.254/32) and other unauthorized destinations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T13:16:31Z","date_published":"2026-07-07T13:16:31Z","id":"https://feed.craftedsignal.io/briefs/2026-07-ssrf-protection-bypass-unresolved-hostname/","summary":"An SSRF protection bypass vulnerability, CVE-2026-33655, in the QuantumNous new-api, affecting versions prior to v0.12.0-alpha.1, allows authenticated users to send requests to internal HTTP services by configuring notification URLs with unresolved hostnames, leading to potential sensitive internal data exposure through timing, errors, or response-dependent behavior.","title":"New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs","url":"https://feed.craftedsignal.io/briefs/2026-07-ssrf-protection-bypass-unresolved-hostname/"}],"language":"en","title":"CraftedSignal Threat Feed - New-Api (\u003c 0.12.0-Alpha.1)","version":"https://jsonfeed.org/version/1.1"}