Plattform
go
Komponente
github.com/quantumnous/new-api
Behoben in
0.10.1
0.11.10
CVE-2026-32879 describes a logic flaw within the secure verification flow of QuantumNous new-api. This vulnerability allows an authenticated user possessing a registered passkey to circumvent the WebAuthn assertion process, effectively completing secure verification without the required authentication step. The issue impacts versions 0.10.0 and earlier, and a fix is currently available.
This passkey bypass vulnerability poses a significant risk to applications relying on QuantumNous new-api for secure authentication. An attacker who has successfully authenticated and registered a passkey can exploit this flaw to gain unauthorized access to resources or perform actions on behalf of the authenticated user without further verification. The potential impact includes data breaches, privilege escalation, and compromise of sensitive information. While the CVSS score is medium, the ease of exploitation and potential for widespread impact warrant immediate attention.
This vulnerability was publicly disclosed on 2026-03-23. Currently, no public proof-of-concept (POC) code is available, but the description suggests a relatively straightforward exploitation path. The vulnerability is not currently listed on CISA KEV. The probability of exploitation is considered medium, given the public disclosure and the potential for easy exploitation once a POC is developed.
Applications and services utilizing QuantumNous new-api for authentication, particularly those relying heavily on passkey-based authentication, are at risk. Organizations with legacy systems or those using older versions of the library without robust security monitoring are especially vulnerable.
• go / server:
ps aux | grep new-api• go / server:
journalctl -u new-api | grep -i "secure verification"• generic web:
curl -I https://your-new-api-endpoint/api/verify -d '{"method":"passkey"}'• generic web:
Inspect access logs for requests to /api/verify with {"method":"passkey"} and successful responses without WebAuthn challenges.
disclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-32879 is to upgrade to a patched version of QuantumNous new-api. Consult the QuantumNous project's release notes for the specific version containing the fix. If upgrading is not immediately feasible, consider implementing stricter access controls and monitoring for suspicious activity related to secure verification flows. While a direct WAF rule is unlikely, monitoring for unusual patterns of successful verification without WebAuthn challenges could provide an early warning. Review and strengthen passkey registration and management practices.
Es sind keine gepatchten Versionen zum jetzigen Zeitpunkt verfügbar. Es wird empfohlen, Passkeys nicht als sichere Verifizierungsmethode für privilegierte Aktionen zu verwenden. Verwenden Sie TOTP/2FA für diese Aktionen oder beschränken Sie den Zugriff auf die Endpunkte, die durch sichere Verifizierung geschützt sind, vorübergehend.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32879 is a vulnerability in QuantumNous new-api allowing authenticated users with passkeys to bypass WebAuthn assertion, completing secure verification without proper authentication. It impacts versions 0.10.0 and earlier.
You are affected if you are using QuantumNous new-api versions 0.10.0 or earlier. Check your dependencies and upgrade as soon as possible.
Upgrade to a patched version of QuantumNous new-api. Consult the project's release notes for the specific version containing the fix.
While no active exploitation has been confirmed, the vulnerability has been publicly disclosed and a POC is likely to be developed, increasing the risk of exploitation.
Refer to the QuantumNous project's official website and GitHub repository for the latest security advisories and release notes.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.