Plataforma
go
Componente
github.com/quantumnous/new-api
Corregido en
0.10.1
0.11.10
CVE-2026-32879 describes a logic flaw within the secure verification flow of QuantumNous new-api. This vulnerability allows an authenticated user possessing a registered passkey to circumvent the WebAuthn assertion process, effectively completing secure verification without the required authentication step. The issue impacts versions 0.10.0 and earlier, and a fix is currently available.
This passkey bypass vulnerability poses a significant risk to applications relying on QuantumNous new-api for secure authentication. An attacker who has successfully authenticated and registered a passkey can exploit this flaw to gain unauthorized access to resources or perform actions on behalf of the authenticated user without further verification. The potential impact includes data breaches, privilege escalation, and compromise of sensitive information. While the CVSS score is medium, the ease of exploitation and potential for widespread impact warrant immediate attention.
This vulnerability was publicly disclosed on 2026-03-23. Currently, no public proof-of-concept (POC) code is available, but the description suggests a relatively straightforward exploitation path. The vulnerability is not currently listed on CISA KEV. The probability of exploitation is considered medium, given the public disclosure and the potential for easy exploitation once a POC is developed.
Applications and services utilizing QuantumNous new-api for authentication, particularly those relying heavily on passkey-based authentication, are at risk. Organizations with legacy systems or those using older versions of the library without robust security monitoring are especially vulnerable.
• go / server:
ps aux | grep new-api• go / server:
journalctl -u new-api | grep -i "secure verification"• generic web:
curl -I https://your-new-api-endpoint/api/verify -d '{"method":"passkey"}'• generic web:
Inspect access logs for requests to /api/verify with {"method":"passkey"} and successful responses without WebAuthn challenges.
disclosure
Estado del Exploit
EPSS
0.04% (11% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-32879 is to upgrade to a patched version of QuantumNous new-api. Consult the QuantumNous project's release notes for the specific version containing the fix. If upgrading is not immediately feasible, consider implementing stricter access controls and monitoring for suspicious activity related to secure verification flows. While a direct WAF rule is unlikely, monitoring for unusual patterns of successful verification without WebAuthn challenges could provide an early warning. Review and strengthen passkey registration and management practices.
No hay versiones parcheadas disponibles al momento. Se recomienda no confiar en la passkey como método de verificación segura para acciones privilegiadas. Utilice TOTP/2FA para estas acciones o restrinja temporalmente el acceso a los endpoints protegidos por verificación segura.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-32879 is a vulnerability in QuantumNous new-api allowing authenticated users with passkeys to bypass WebAuthn assertion, completing secure verification without proper authentication. It impacts versions 0.10.0 and earlier.
You are affected if you are using QuantumNous new-api versions 0.10.0 or earlier. Check your dependencies and upgrade as soon as possible.
Upgrade to a patched version of QuantumNous new-api. Consult the project's release notes for the specific version containing the fix.
While no active exploitation has been confirmed, the vulnerability has been publicly disclosed and a POC is likely to be developed, increasing the risk of exploitation.
Refer to the QuantumNous project's official website and GitHub repository for the latest security advisories and release notes.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo go.mod y te decimos al instante si estás afectado.