Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. This issue has been patched in version 0.12.10.
Published: 2026-05-08
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Stripe webhook handler of the New API allows an attacker to forge webhook events by exploiting an empty secret configuration. This flaw bypasses the signature verification step that Stripe normally uses to authenticate event data. As a result, a malicious actor can submit crafted webhook payloads that credit arbitrary amounts of quota to their account without any payment, effectively creating a fraud mechanism that increases resources at zero cost. The compromised system treats these forged notifications as legitimate, leading to a direct integrity violation and potential denial of service through resource exhaustion.

Affected Systems

The affected product is QuantumNous new-api. All versions prior to v0.12.10 are vulnerable. Version v0.12.10 and later contain the patch that enforces proper secret validation and signature verification.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. Although there is no EPSS score available, the lack of authentication for the webhook endpoint and the trivial requirement of supplying a crafted payload means the attack can be executed by any external actor with internet access. The vulnerability is not listed in CISA KEV, but the ease of exploitation and lack of defensive checks make it a significant risk. The likely attack vector is an unauthenticated HTTP request to the webhook endpoint, with a forged payload and an empty or missing secret.

Generated by OpenCVE AI on May 8, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 0.12.10 or newer to apply the vendor patch that corrects the webhook signature handling.
  • Configure the Stripe webhook secret to a non‑empty, strong value and ensure the application enforces its presence during request processing.
  • Enable strict validation of Stripe webhook signatures for all incoming requests so that only events signed with the correct secret are accepted.

Generated by OpenCVE AI on May 8, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xff3-5c9p-2mr4 New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud
History

Fri, 08 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Quantumnous
Quantumnous new-api
Vendors & Products Quantumnous
Quantumnous new-api

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. This issue has been patched in version 0.12.10.
Title New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud
Weaknesses CWE-1188
CWE-345
CWE-863
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Quantumnous New-api
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T22:21:32.305Z

Reserved: 2026-04-20T15:32:33.814Z

Link: CVE-2026-41432

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T23:16:35.457

Modified: 2026-05-08T23:16:35.457

Link: CVE-2026-41432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:30:15Z

Weaknesses