CVE-2026-40481: In monetr, unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation

April 14, 2026 (updated April 24, 2026)

The public Stripe webhook endpoint fully reads the request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST bodies and cause substantial memory growth, leading to denial of service.

References

github.com/advisories/GHSA-v7xq-3wx6-fqc2
github.com/monetr/monetr/releases/tag/v1.12.4
github.com/monetr/monetr/security/advisories/GHSA-v7xq-3wx6-fqc2
nvd.nist.gov/vuln/detail/CVE-2026-40481

Code Behaviors & Features

Detect and mitigate CVE-2026-40481 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →