Platform
go
Component
monetr
Fixed in
1.12.5
1.12.4
CVE-2026-40481 describes a denial-of-service vulnerability within the monetr application's Stripe webhook endpoint. This vulnerability allows a remote, unauthenticated attacker to induce substantial memory growth by sending oversized POST requests. The vulnerability impacts versions 1.12.3 and earlier, and a fix is available in version 1.12.4.
The primary impact of CVE-2026-40481 is a denial-of-service (DoS). An attacker can exploit this vulnerability by crafting and sending oversized POST requests to the monetr application's Stripe webhook endpoint. Because the application buffers the entire request body into memory before validating the Stripe signature, a sufficiently large request can exhaust available memory resources. This can lead to application crashes, service unavailability, and potentially impact other services sharing the same infrastructure. The lack of authentication means an attacker can trigger this DoS remotely without needing any credentials.
CVE-2026-40481 was publicly disclosed on 2026-04-17. There is currently no indication of active exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept code is not yet available, but the vulnerability's nature makes it relatively straightforward to exploit.
Exploit Status
EPSS
0.18% (40% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-40481 is to immediately upgrade monetr to version 1.12.4 or later. This version includes a fix that prevents the excessive memory allocation. If upgrading is not immediately feasible, consider implementing rate limiting on the Stripe webhook endpoint to restrict the size and frequency of incoming POST requests. Additionally, consider implementing a WAF rule to filter out unusually large POST requests. After upgrading, confirm the fix by sending a large POST request to the webhook endpoint and verifying that memory usage remains within acceptable limits.
Update to version 1.12.4 or later to mitigate the issue. If you cannot update immediately, configure an upstream proxy to enforce a limit on the size of the request body to Stripe webhooks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40481 is a denial-of-service vulnerability in monetr affecting versions 1.12.3 and below. An attacker can send oversized POST requests to the Stripe webhook endpoint, causing memory exhaustion and service disruption.
You are affected if you are running monetr version 1.12.3 or earlier and have Stripe webhooks enabled. Upgrade to version 1.12.4 to mitigate the risk.
Upgrade monetr to version 1.12.4 or later. As a temporary workaround, implement rate limiting or WAF rules to restrict the size of incoming POST requests to the Stripe webhook endpoint.
There is currently no evidence of active exploitation in the wild, but the vulnerability is relatively easy to exploit.
Refer to the monetr project's official website and release notes for the advisory and detailed information regarding the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.