Cyber Resilience

CVE-2026-41432

HighPublic PoC

Published: 08 May 2026

Published
08 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0026 17.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41432 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Newapi New Api. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary…

more

quota to their account without making any payment. This issue has been patched in version 0.12.10.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, artificial intelligence, llm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in unauthenticated Stripe webhook handler (public API endpoint) allows forged events due to missing authenticity verification (CWE-345), directly enabling exploitation of a public-facing application to obtain unauthorized resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25802Same product: Newapi New Api
CVE-2026-44567Shared CWE-863
CVE-2026-39411Shared CWE-345
CVE-2026-32924Shared CWE-863
CVE-2026-34532Shared CWE-863
CVE-2026-28808Shared CWE-863
CVE-2026-31957Shared CWE-1188
CVE-2025-24409Shared CWE-863
CVE-2024-13253Shared CWE-863
CVE-2025-21565Shared CWE-863

Affected Assets

newapi
new api
≤ 0.12.10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-863 CWE-345

Addresses incorrect authorization by requiring independent verification of results and an opportunity to contest before any adverse action is taken.

addresses: CWE-863

Periodic review and update of procedures reduces incorrect authorization implementations over time.

addresses: CWE-863

Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.

addresses: CWE-863

Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.

addresses: CWE-863

The authorization process and usage restrictions help prevent incorrect authorization for remote access types.

addresses: CWE-863

Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.

addresses: CWE-863

Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.

addresses: CWE-863

Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.

References