CVE-2026-40481
HIGHmonetr: Unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation
Title source: cnaDescription
monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled memory growth, leading to denial of service. The issue affects deployments with Stripe webhooks enabled and is mitigated if an upstream proxy enforces a request body size limit. This issue has been fixed in version 1.12.4.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/monetr/monetr/security/advisories/GHSA-v7xq-3wx6-fqc2
X_Refsource_Misc x_refsource_misc
https://github.com/monetr/monetr/releases/tag/v1.12.4
Scores
CVSS v4
8.2
EPSS
0.0045
EPSS Percentile
35.3%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (2)
monetr/monetr
0 - 1.12.4Go
monetr/monetr
< 1.12.4
Published
Apr 17, 2026
Tracked Since
Apr 18, 2026