Cyber Posture

CVE-2026-41432

High

Published: 08 May 2026

Published
08 May 2026
Modified
08 May 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0002 6.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41432 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other AI Platforms.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

PT-8 Computer Matching Requirements
addresses: CWE-863 CWE-345

Addresses incorrect authorization by requiring independent verification of results and an opportunity to contest before any adverse action is taken.

AC-1 Policy and Procedures
addresses: CWE-863

Periodic review and update of procedures reduces incorrect authorization implementations over time.

AC-13 Supervision and Review — Access Control
addresses: CWE-863

Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.

AC-16 Security and Privacy Attributes
addresses: CWE-863

Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.

AC-17 Remote Access
addresses: CWE-863

The authorization process and usage restrictions help prevent incorrect authorization for remote access types.

AC-18 Wireless Access
addresses: CWE-863

Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.

AC-19 Access Control for Mobile Devices
addresses: CWE-863

Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.

AC-2 Account Management
addresses: CWE-863

Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.

NVD Description

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary…

more

quota to their account without making any payment. This issue has been patched in version 0.12.10.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-345CWE-863CWE-1188

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llm, artificial intelligence, ai

CVEs Like This One

CVE-2026-26316Shared CWE-863
CVE-2026-30820Shared CWE-863
CVE-2026-3573Shared CWE-863
CVE-2026-25474Shared CWE-345
CVE-2026-32617Shared CWE-1188
CVE-2026-32231Shared CWE-345
CVE-2026-32213Shared CWE-863
CVE-2026-41679Shared CWE-1188
CVE-2026-32597Shared CWE-345, CWE-863
CVE-2025-0359Shared CWE-863

References