CVE-2026-41432
Last modified
CVE-2026-41432 is a high-severity vulnerability rated 8.2/10 on the CVSS scale. New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. EPSS estimates a 0.26% chance of exploitation in the next 30 days.
Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. This issue has been patched in version 0.12.10.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Newapi | New Api | < 0.12.10 |
References
- https://github.com/QuantumNous/new-api/releases/tag/v0.12.10Product, Release Notes
- https://github.com/QuantumNous/new-api/security/advisories/GHSA-xff3-5c9p-2mr4Exploit, Mitigation, Vendor Advisory
- https://github.com/QuantumNous/new-api/security/advisories/GHSA-xff3-5c9p-2mr4Exploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-41432?
How severe is CVE-2026-41432?
How do I fix CVE-2026-41432?
Are you affected by CVE-2026-41432?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST