GHSA-xff3-5c9p-2mr4: New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud
highvulnerability
security
Summary
A critical vulnerability allows attackers to forge Stripe webhook events (messages confirming payments) and illegally credit their accounts with quota without paying, because the system uses an empty default secret key and doesn't verify which payment method was actually used. Three compounding flaws enable this: the webhook handler accepts empty secrets, signature verification can be bypassed with an empty key, and the system fulfills orders from any payment gateway when it receives a forged Stripe webhook.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
April 24, 2026
Classification
Attack SophisticationModerate
Affected Packages
github.com/QuantumNous/new-api@< 0.12.10 (fixed: 0.12.10)
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-xff3-5c9p-2mr4
First tracked: April 24, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%