PatchSiren cyber security CVE debrief

CVE-2026-41432 QuantumNous CVE debrief

New API is an LLM gateway and AI asset management system. Prior to version 0.12.10, the Stripe webhook handler fails to properly validate webhook event authenticity, allowing unauthenticated attackers to forge webhook events and credit arbitrary quota to their accounts without payment. The vulnerability stems from insufficient verification of webhook signatures (CWE-345: Insufficient Verification of Data Authenticity), improper authorization (CWE-863: Incorrect Authorization), and insecure default initialization of resource permissions (CWE-1188: Insecure Default Initialization of Resource). The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and low availability impact. The vendor patched this in version 0.12.10 released May 2026. No known exploitation in ransomware campaigns has been reported.

Vendor: QuantumNous
Product: new-api
CVSS: HIGH 7.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-08
Original CVE updated: 2026-05-18
Advisory published: 2026-05-08
Advisory updated: 2026-05-18

Who should care

Organizations operating New API instances for LLM gateway or AI asset management services, particularly those using Stripe for payment processing and quota management. Security teams responsible for payment integration security and API gateway infrastructure. Financial operations teams monitoring for payment bypass or quota manipulation fraud.

Technical summary

The vulnerability exists in New API's Stripe webhook handler prior to v0.12.10. Insufficient validation of webhook event authenticity (CWE-345) combined with authorization flaws (CWE-863) allows attackers to forge Stripe webhook events, triggering unauthorized quota credits without actual payment. The attack requires network access and low privileges, with high integrity impact on the affected system. The vendor addressed this through improved webhook signature validation in version 0.12.10.

Defensive priority

HIGH

Recommended defensive actions

Upgrade New API to version 0.12.10 or later to remediate the Stripe webhook signature validation vulnerability.
Verify Stripe webhook endpoint configurations implement proper signature verification using Stripe's official libraries.
Review audit logs for anomalous quota credit events between deployment and patch application.
Implement network-level controls to restrict webhook endpoint access to Stripe IP ranges where feasible.
Monitor for unexpected quota balance changes as potential indicators of exploitation attempts.

Evidence notes

CVE published 2026-05-08; modified 2026-05-18. Vendor advisory and patch released via GitHub. CPE confirms affected versions prior to 0.12.10.

Official resources

CVE-2026-41432 CVE record
CVE.org
CVE-2026-41432 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Product, Release Notes
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory

2026-05-08