CVE-2026-41432
Received
Received - Intake
Unauthenticated Stripe Webhook Forgery in New API
Publication date: 2026-05-08
Last updated on: 2026-05-18
Assigner: GitHub, Inc.
Description
Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. This issue has been patched in version 0.12.10.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| newapi | new_api | to 0.12.10 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
