Skip to main content

Critical Flaw in NewAPI Lets Hackers Top Up Accounts for Free

Security Alert: Payment System Flaw Exposes AI Services

A dangerous vulnerability in the widely-used NewAPI platform has security experts scrambling. The open-source system, popular for managing AI model interfaces, contains a payment processing flaw that could let hackers add unlimited funds to their accounts - without spending a dime.

Image

How the Exploit Works

The problem lies in how NewAPI handles Stripe payment confirmations. When administrators leave the Stripe verification key blank (which happens more often than you'd think), the system becomes dangerously trusting:

  • Signature checks fail silently: The system's security checks don't flag empty keys as problematic
  • Fake payments slip through: Attackers can forge payment confirmations that the system accepts as real
  • Free money flows: Accounts get credited while Stripe sees zero actual transactions

"It's like having a vending machine that gives out snacks when you insert monopoly money," explained one security researcher who asked to remain anonymous. "The system's so eager to please that it doesn't verify whether the payment actually happened."

Image

Who's Affected?

This isn't just theoretical - any NewAPI installation that:

  • Uses Stripe payments without proper configuration
  • Runs in test environments where payment setup was skipped
  • Relies mainly on other payment methods like Alipay or WeChat Pay

The Fix Is In

The NewAPI team moved quickly, releasing version 0.12.10 to plug this security hole. Their update "improves Stripe payment processing" - tech speak for "we now actually check if payments are real."

Key Recommendations for Users:

  • Upgrade now: Version 0.12.10 or later is essential
  • Set those keys: Even if you don't use Stripe, configure it properly
  • Audit your books: Check for suspicious top-ups in your system logs
  • Double-check payments: Verify both signatures and actual transaction statuses

"This is one of those vulnerabilities that's simple to fix but could cause real headaches if ignored," warns cybersecurity analyst Mark Chen. "The exploit details are already circulating online, so there's no time to waste."

Key Points

  • NewAPI had a payment verification flaw when Stripe keys weren't set
  • Attackers could fake payment confirmations to get free account credits
  • Fixed in version 0.12.10 - update immediately
  • All users should configure Stripe keys and audit their transaction logs
  • Vulnerability highlights importance of proper payment system configuration

Enjoyed this article?

Subscribe to our newsletter for the latest AI news, product reviews, and project recommendations delivered to your inbox weekly.

Weekly digestFree foreverUnsubscribe anytime

Related Articles

Critical Flaw in AI Protocol Leaves 200,000 Servers Vulnerable
News

Critical Flaw in AI Protocol Leaves 200,000 Servers Vulnerable

A shocking security report reveals dangerous vulnerabilities in Anthropic's widely used MCP protocol, putting over 200,000 AI servers at risk of remote attacks. The design flaw allows execution of unverified system commands, affecting all major programming languages. Despite being notified months ago, Anthropic has done little to address what researchers call an architectural-level threat.

April 16, 2026
AI SecurityMCP FlawCybersecurity
Anthropic's Secretive Project Glasswing: What Vulnerabilities Did It Really Find?
News

Anthropic's Secretive Project Glasswing: What Vulnerabilities Did It Really Find?

Anthropic's ambitious Project Glasswing enlisted tech giants like Amazon and Google to test its AI model for security flaws. But months after launch, the project's actual discoveries remain shrouded in mystery. While researchers found 40 potential vulnerabilities, only one has been definitively linked to Glasswing. As we await Anthropic's July report, questions linger about what this powerful AI model can truly detect - and whether companies are acting fast enough on its findings.

April 16, 2026
AI SecurityAnthropicCybersecurity
News

OpenAI Issues Urgent macOS Update After Third-Party Library Hack

OpenAI has confirmed its applications were compromised in a supply chain attack targeting the popular Axios library. While no data breaches occurred, macOS users should immediately update their ChatGPT apps. The attack, originating from hijacked npm developer accounts, shows how even trusted software components can become security risks.

April 15, 2026
OpenAICybersecuritySupplyChainAttack
Anthropic's Secret AI Model Mythos Showcased to Trump Team
News

Anthropic's Secret AI Model Mythos Showcased to Trump Team

Anthropic co-founder Jack Clark revealed at the Semafor summit that his company demonstrated its unreleased AI model Mythos to Trump administration officials, citing its advanced cybersecurity capabilities. Despite an ongoing legal battle with the Pentagon over military AI use, Clark emphasized the importance of government-tech collaboration. The revelation comes as major banks reportedly test the powerful new system, while Clark offers surprising optimism about AI's employment impact compared to his CEO's dire predictions.

April 15, 2026
Artificial IntelligenceCybersecurityGovernment Tech
Grafana AI Assistant Vulnerability Exposes Corporate Data to Hackers
News

Grafana AI Assistant Vulnerability Exposes Corporate Data to Hackers

A newly discovered security flaw in Grafana's AI assistant allows hackers to manipulate the tool into leaking sensitive company data. The 'GrafanaGhost' vulnerability uses indirect prompt injection to trick the system into sending confidential information to external servers. While Grafana Labs has patched the issue, the discovery highlights growing concerns about AI-powered tools becoming new attack vectors for cybercriminals.

April 14, 2026
CybersecurityAI VulnerabilitiesData Protection
OpenAI Scrambles to Patch Security Hole After Axios Hack
News

OpenAI Scrambles to Patch Security Hole After Axios Hack

OpenAI has rushed to update security certificates after hackers compromised a key third-party library, Axios. The breach, which occurred in late March, allowed attackers to potentially access devices running ChatGPT Desktop and other OpenAI applications. The company has released patched versions of affected software and urges users to update immediately to protect their data.

April 13, 2026
OpenAICybersecuritySoftware Vulnerabilities

Popular Articles

1

TSMC Reports Record Revenue, AI Growth Fuels Optimism for 2025

News2

Claude AI Assistant Launches on Slack to Boost Team Productivity

News3

Baidu Unveils 2024 AI Keyword: 'Answer'

News4

Silicon Flow Launches Enterprise MaaS Platform for AI Model Industrialization

News5

ByteDance Unveils Trae: A New AI IDE for Chinese Developers

News