CVE-2026-41432 Overview
CVE-2026-41432 is a webhook signature verification flaw in New API, a large language model (LLM) gateway and artificial intelligence (AI) asset management system. Versions prior to 0.12.10 contain a Stripe webhook handler that fails to properly verify the authenticity of incoming events. An authenticated attacker can forge webhook payloads and credit arbitrary quota to their account without submitting any payment. The maintainers patched the issue in version 0.12.10. The weakness is classified under [CWE-345: Insufficient Verification of Data Authenticity].
Critical Impact
Attackers can forge Stripe webhook events to grant themselves unlimited LLM API quota, bypassing payment and causing direct financial loss to operators of New API instances.
Affected Products
- QuantumNous New API versions prior to 0.12.10
- LLM gateway deployments using New API with Stripe billing enabled
- AI asset management systems built on vulnerable New API releases
Discovery Timeline
- 2026-05-08 - CVE-2026-41432 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-41432
Vulnerability Analysis
New API integrates with Stripe to process payments and credit user quota based on successful charge events. Stripe delivers payment confirmations to the application via HTTP webhook callbacks. Each legitimate webhook request includes a Stripe-Signature header derived from a shared secret, which receivers must validate before trusting the payload.
In versions prior to 0.12.10, the New API webhook handler does not correctly verify this signature. An attacker who can reach the publicly exposed webhook endpoint can craft a forged HTTP request that mimics a legitimate checkout.session.completed or equivalent payment event. The application processes the forged event as authentic and credits the attacker-controlled account with arbitrary quota.
The vulnerability falls under [CWE-345: Insufficient Verification of Data Authenticity]. It maps to a business logic flaw and an authentication bypass at the webhook trust boundary.
Root Cause
The root cause is missing or incorrect validation of the Stripe webhook signature inside the payment callback handler. Without cryptographic verification of the Stripe-Signature header against the configured webhook secret, the application treats any well-formed JSON event as authoritative.
Attack Vector
Exploitation requires network access to the Stripe webhook endpoint of a vulnerable New API instance and a low-privileged authenticated account on the platform. The attacker sends a forged HTTP POST containing a fake payment event referencing their own user identifier or session. The handler accepts the payload and adds quota to the attacker's account. No user interaction is required. Technical details are described in the GitHub Security Advisory GHSA-xff3-5c9p-2mr4.
Detection Methods for CVE-2026-41432
Indicators of Compromise
- Stripe webhook requests arriving from source IPs outside Stripe's published webhook IP ranges
- Account quota increases without matching payment_intent.succeeded records in the Stripe dashboard
- Webhook events processed with missing, malformed, or unverified Stripe-Signature headers in application logs
- Sudden spikes in LLM API consumption from accounts with no payment history
Detection Strategies
- Reconcile New API quota credit events against authoritative Stripe transaction logs on a recurring schedule
- Alert on webhook handler responses that return success for requests lacking valid signature headers
- Compare user-level billing balances in the application database against Stripe customer payment totals to surface discrepancies
Monitoring Recommendations
- Forward New API application logs and Stripe webhook delivery logs to a centralized SIEM for correlation
- Monitor outbound LLM API costs against incoming payment revenue and alert on negative margin anomalies
- Track HTTP requests to the /api/stripe/webhook route by source IP, user agent, and response code
How to Mitigate CVE-2026-41432
Immediate Actions Required
- Upgrade New API to version 0.12.10 or later, available from the GitHub Release v0.12.10
- Audit all quota credit events since Stripe integration was enabled and revoke balances tied to unverified payments
- Rotate the Stripe webhook signing secret after upgrading to invalidate any secrets the attacker may have probed
Patch Information
The maintainers fixed the issue in version 0.12.10 by enforcing proper verification of the Stripe-Signature header on incoming webhook events. Refer to the GitHub Security Advisory GHSA-xff3-5c9p-2mr4 for the patch reference and full advisory text.
Workarounds
- Restrict access to the Stripe webhook endpoint at the network or reverse proxy layer to Stripe's published webhook source IP ranges
- Temporarily disable Stripe-based quota crediting and process payments through manual reconciliation until the patch is applied
- Place the webhook route behind an authentication-aware gateway that validates the Stripe signature before forwarding to the application
# Nginx example: restrict the Stripe webhook endpoint to Stripe IP ranges
location /api/stripe/webhook {
allow 3.18.12.63;
allow 3.130.192.231;
allow 13.235.14.237;
allow 13.235.122.149;
# ... add remaining Stripe webhook IPs
deny all;
proxy_pass http://new_api_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
