CVE-2026-41432: CWE-345: Insufficient Verification of Data Authenticity in QuantumNous new-api
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. This issue has been patched in version 0.12.10.
AI Analysis
Technical Summary
QuantumNous new-api, an LLM gateway and AI asset management system, contained a vulnerability (CWE-345) in its Stripe webhook handler before version 0.12.10. The flaw allowed unauthenticated attackers to bypass verification of webhook event authenticity, enabling them to forge events and illegitimately increase their quota. The issue was addressed in version 0.12.10, which includes a fix to properly verify webhook event authenticity.
Potential Impact
An attacker can exploit this vulnerability to fraudulently credit quota to their account without making any payment, potentially leading to unauthorized resource usage or service abuse. There is no direct confidentiality impact reported. The integrity of quota accounting is compromised, and availability impact is low.
Mitigation Recommendations
Upgrade QuantumNous new-api to version 0.12.10 or later, where the vulnerability in the Stripe webhook handler has been patched. No other mitigation is necessary as the fix is available.
CVE-2026-41432: CWE-345: Insufficient Verification of Data Authenticity in QuantumNous new-api
Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. This issue has been patched in version 0.12.10.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
QuantumNous new-api, an LLM gateway and AI asset management system, contained a vulnerability (CWE-345) in its Stripe webhook handler before version 0.12.10. The flaw allowed unauthenticated attackers to bypass verification of webhook event authenticity, enabling them to forge events and illegitimately increase their quota. The issue was addressed in version 0.12.10, which includes a fix to properly verify webhook event authenticity.
Potential Impact
An attacker can exploit this vulnerability to fraudulently credit quota to their account without making any payment, potentially leading to unauthorized resource usage or service abuse. There is no direct confidentiality impact reported. The integrity of quota accounting is compromised, and availability impact is low.
Mitigation Recommendations
Upgrade QuantumNous new-api to version 0.12.10 or later, where the vulnerability in the Stripe webhook handler has been patched. No other mitigation is necessary as the fix is available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-20T15:32:33.814Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fe68edcbff5d861039d869
Added to database: 5/8/2026, 10:51:25 PM
Last enriched: 5/8/2026, 11:07:13 PM
Last updated: 5/9/2026, 3:47:30 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.