Platform
go
Component
github.com/quantumnous/new-api
Fixed in
0.10.1
0.11.10
CVE-2026-32879 describes a logic flaw within the secure verification flow of QuantumNous new-api. This vulnerability allows an authenticated user possessing a registered passkey to circumvent the WebAuthn assertion process, effectively completing secure verification without the required authentication step. The issue impacts versions 0.10.0 and earlier, and a fix is currently available.
This passkey bypass vulnerability poses a significant risk to applications relying on QuantumNous new-api for secure authentication. An attacker who has successfully authenticated and registered a passkey can exploit this flaw to gain unauthorized access to resources or perform actions on behalf of the authenticated user without further verification. The potential impact includes data breaches, privilege escalation, and compromise of sensitive information. While the CVSS score is medium, the ease of exploitation and potential for widespread impact warrant immediate attention.
This vulnerability was publicly disclosed on 2026-03-23. Currently, no public proof-of-concept (POC) code is available, but the description suggests a relatively straightforward exploitation path. The vulnerability is not currently listed on CISA KEV. The probability of exploitation is considered medium, given the public disclosure and the potential for easy exploitation once a POC is developed.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32879 is to upgrade to a patched version of QuantumNous new-api. Consult the QuantumNous project's release notes for the specific version containing the fix. If upgrading is not immediately feasible, consider implementing stricter access controls and monitoring for suspicious activity related to secure verification flows. While a direct WAF rule is unlikely, monitoring for unusual patterns of successful verification without WebAuthn challenges could provide an early warning. Review and strengthen passkey registration and management practices.
No patched versions are available at the time of writing. It is recommended not to trust passkeys as a secure verification method for privileged actions. Use TOTP/2FA for these actions or temporarily restrict access to endpoints protected by secure verification.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32879 is a vulnerability in QuantumNous new-api allowing authenticated users with passkeys to bypass WebAuthn assertion, completing secure verification without proper authentication. It impacts versions 0.10.0 and earlier.
You are affected if you are using QuantumNous new-api versions 0.10.0 or earlier. Check your dependencies and upgrade as soon as possible.
Upgrade to a patched version of QuantumNous new-api. Consult the project's release notes for the specific version containing the fix.
While no active exploitation has been confirmed, the vulnerability has been publicly disclosed and a POC is likely to be developed, increasing the risk of exploitation.
Refer to the QuantumNous project's official website and GitHub repository for the latest security advisories and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.