CVE-2026-41432

Name of the Vulnerable Software and Affected Versions New API versions prior to 0.12.10

Description A flaw in the Stripe webhook handler allows unauthenticated attackers to forge webhook events and credit arbitrary quota to their accounts without payment. This is caused by three issues: the system does not reject requests when StripeWebhookSecret is empty (the default), allowing attackers to compute valid signatures; the sessionCompleted handler fails to verify that payment status is set to paid; and the Recharge() function does not validate that the order's PaymentMethod matches the callback source, enabling cross-gateway exploitation where orders from other payment methods can be fulfilled via a forged Stripe webhook.

Technical details include:

Recommendations Update to version 0.12.10. As a temporary workaround, set StripeWebhookSecret to any non-empty value in the admin panel. If Stripe is not used, block access to the '/api/stripe/webhook' endpoint using a reverse proxy.