CVE-2026-41432
Unauthenticated Stripe Webhook Forgery in New API
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stripe | stripe | to 0.12.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Stripe webhook handler of the New API, a large language model gateway and AI asset management system. Before version 0.12.10, an unauthenticated attacker could forge webhook events, allowing them to credit arbitrary quota to their account without making any payment.
How can this vulnerability impact me? :
The vulnerability allows attackers to fraudulently increase their quota without payment, potentially leading to unauthorized use of resources and financial loss for the service provider.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the New API system to version 0.12.10 or later, where the issue has been patched.