Webhook Event Forgery Vulnerability in New API by QuantumNous
CVE-2026-41432

7.1HIGH

Key Information:

Vendor: Quantumnous
Status: New-api
Vendor: CVE Published:; 8 May 2026

🔔 Create Quantumnous Vulnerability Alert

What is CVE-2026-41432?

Prior to version 0.12.10, New API contained a vulnerability in its Stripe webhook handler, allowing unauthenticated attackers to forge webhook events. This exploit enabled attackers to credit arbitrary quotas to their accounts without completing any payment transactions. The issue has been resolved in version 0.12.10, emphasizing the importance of updating to the latest version to ensure system security.

Affected Version(s)

new-api < 0.12.10

References

https://github.com/QuantumNous/new-api/security/advisorie...

x_refsource_CONFIRM

https://github.com/QuantumNous/new-api/releases/tag/v0.12.10

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41432 Data

JSON