平台
go
组件
github.com/quantumnous/new-api
修复版本
0.10.1
0.11.10
CVE-2026-32879 describes a logic flaw within the secure verification flow of QuantumNous new-api. This vulnerability allows an authenticated user possessing a registered passkey to circumvent the WebAuthn assertion process, effectively completing secure verification without the required authentication step. The issue impacts versions 0.10.0 and earlier, and a fix is currently available.
This passkey bypass vulnerability poses a significant risk to applications relying on QuantumNous new-api for secure authentication. An attacker who has successfully authenticated and registered a passkey can exploit this flaw to gain unauthorized access to resources or perform actions on behalf of the authenticated user without further verification. The potential impact includes data breaches, privilege escalation, and compromise of sensitive information. While the CVSS score is medium, the ease of exploitation and potential for widespread impact warrant immediate attention.
This vulnerability was publicly disclosed on 2026-03-23. Currently, no public proof-of-concept (POC) code is available, but the description suggests a relatively straightforward exploitation path. The vulnerability is not currently listed on CISA KEV. The probability of exploitation is considered medium, given the public disclosure and the potential for easy exploitation once a POC is developed.
Applications and services utilizing QuantumNous new-api for authentication, particularly those relying heavily on passkey-based authentication, are at risk. Organizations with legacy systems or those using older versions of the library without robust security monitoring are especially vulnerable.
• go / server:
ps aux | grep new-api• go / server:
journalctl -u new-api | grep -i "secure verification"• generic web:
curl -I https://your-new-api-endpoint/api/verify -d '{"method":"passkey"}'• generic web:
Inspect access logs for requests to /api/verify with {"method":"passkey"} and successful responses without WebAuthn challenges.
disclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-32879 is to upgrade to a patched version of QuantumNous new-api. Consult the QuantumNous project's release notes for the specific version containing the fix. If upgrading is not immediately feasible, consider implementing stricter access controls and monitoring for suspicious activity related to secure verification flows. While a direct WAF rule is unlikely, monitoring for unusual patterns of successful verification without WebAuthn challenges could provide an early warning. Review and strengthen passkey registration and management practices.
目前没有可用的补丁版本。建议不要将密钥作为安全验证方法用于特权操作。对于这些操作,请使用 TOTP/2FA 或暂时限制对受安全验证保护的端点的访问。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-32879 is a vulnerability in QuantumNous new-api allowing authenticated users with passkeys to bypass WebAuthn assertion, completing secure verification without proper authentication. It impacts versions 0.10.0 and earlier.
You are affected if you are using QuantumNous new-api versions 0.10.0 or earlier. Check your dependencies and upgrade as soon as possible.
Upgrade to a patched version of QuantumNous new-api. Consult the project's release notes for the specific version containing the fix.
While no active exploitation has been confirmed, the vulnerability has been publicly disclosed and a POC is likely to be developed, increasing the risk of exploitation.
Refer to the QuantumNous project's official website and GitHub repository for the latest security advisories and release notes.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 go.mod 文件,立即知道是否受影响。