CVE-2026-41432
HIGHNew API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud
Title source: cnaDescription
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. This issue has been patched in version 0.12.10.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/QuantumNous/new-api/security/advisories/GHSA-xff3-5c9p-2mr4
X_Refsource_Misc x_refsource_misc
https://github.com/QuantumNous/new-api/releases/tag/v0.12.10
Scores
CVSS v3
7.1
EPSS
0.0026
EPSS Percentile
17.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1188
CWE-345
CWE-863
Status
published
Products (3)
newapi/new_api
< 0.12.10
QuantumNous/new-api
0 - 0.12.10Go
QuantumNous/new-api
< 0.12.10
Published
May 08, 2026
Tracked Since
May 09, 2026