{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23996", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-19T18:49:20.658Z", "datePublished": "2026-01-21T22:29:24.107Z", "dateUpdated": "2026-01-22T16:49:16.733Z"}, "containers": {"cna": {"title": "FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detection", "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "lang": "en", "description": "CWE-208: Observable Timing Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Athroniaeth/fastapi-api-key/security/advisories/GHSA-95c6-p277-p87g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Athroniaeth/fastapi-api-key/security/advisories/GHSA-95c6-p277-p87g"}, {"name": "https://github.com/Athroniaeth/fastapi-api-key/commit/310b2c5c77305f38c63c0b917539a0344071dfd8", "tags": ["x_refsource_MISC"], "url": "https://github.com/Athroniaeth/fastapi-api-key/commit/310b2c5c77305f38c63c0b917539a0344071dfd8"}, {"name": "https://github.com/Athroniaeth/fastapi-api-key/releases/tag/1.1.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/Athroniaeth/fastapi-api-key/releases/tag/1.1.0"}], "affected": [{"vendor": "Athroniaeth", "product": "fastapi-api-key", "versions": [{"version": "< 1.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-21T22:29:24.107Z"}, "descriptions": [{"lang": "en", "value": "FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks. All users relying on verify_key() for API key authentication prior to the fix are affected. Users should upgrade to version 1.1.0 to receive a patch. The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation. Some workarounds are available. Add an application-level fixed delay or random jitter to all authentication responses (success and failure) before the fix is applied and/or use rate limiting to reduce the feasibility of statistical timing attacks."}], "source": {"advisory": "GHSA-95c6-p277-p87g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T15:09:24.050000Z", "id": "CVE-2026-23996", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T16:49:16.733Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23996", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T15:09:24.050000Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T15:09:25.177Z"}}], "cna": {"title": "FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detection", "source": {"advisory": "GHSA-95c6-p277-p87g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Athroniaeth", "product": "fastapi-api-key", "versions": [{"status": "affected", "version": "< 1.1.0"}]}], "references": [{"url": "https://github.com/Athroniaeth/fastapi-api-key/security/advisories/GHSA-95c6-p277-p87g", "name": "https://github.com/Athroniaeth/fastapi-api-key/security/advisories/GHSA-95c6-p277-p87g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Athroniaeth/fastapi-api-key/commit/310b2c5c77305f38c63c0b917539a0344071dfd8", "name": "https://github.com/Athroniaeth/fastapi-api-key/commit/310b2c5c77305f38c63c0b917539a0344071dfd8", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Athroniaeth/fastapi-api-key/releases/tag/1.1.0", "name": "https://github.com/Athroniaeth/fastapi-api-key/releases/tag/1.1.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks. All users relying on verify_key() for API key authentication prior to the fix are affected. Users should upgrade to version 1.1.0 to receive a patch. The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation. Some workarounds are available. Add an application-level fixed delay or random jitter to all authentication responses (success and failure) before the fix is applied and/or use rate limiting to reduce the feasibility of statistical timing attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208: Observable Timing Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-21T22:29:24.107Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23996", "state": "PUBLISHED", "dateUpdated": "2026-01-22T16:49:16.733Z", "dateReserved": "2026-01-19T18:49:20.658Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-21T22:29:24.107Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:athroniaeth:fastapi_api_key:*:*:*:*:*:python:*:*", "matchCriteriaId": "9E32065D-0671-42EB-8A49-1434ECD4EE54", "versionEndExcluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks. All users relying on verify_key() for API key authentication prior to the fix are affected. Users should upgrade to version 1.1.0 to receive a patch. The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation. Some workarounds are available. Add an application-level fixed delay or random jitter to all authentication responses (success and failure) before the fix is applied and/or use rate limiting to reduce the feasibility of statistical timing attacks."}], "id": "CVE-2026-23996", "lastModified": "2026-02-27T14:52:40.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-21T23:15:53.090", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Athroniaeth/fastapi-api-key/commit/310b2c5c77305f38c63c0b917539a0344071dfd8"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/Athroniaeth/fastapi-api-key/releases/tag/1.1.0"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/Athroniaeth/fastapi-api-key/security/advisories/GHSA-95c6-p277-p87g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:30:56.579943+00:00", "value": {"mitigation_remediation": ["Upgrade Athroniaeth fastapi\u2011api\u2011key to version 1.1.0 or later to apply the uniform random delay patch.", "If an immediate upgrade is not feasible, add a fixed or random jitter to all authentication responses (both success and failure) before the fix is applied.", "Implement rate limiting on the authentication endpoint to reduce the feasibility of statistical timing attacks.", "Monitor authentication logs for anomalous patterns that may indicate key enumeration attempts."], "summary": {"action": "Patch Immediately", "impact": "API key enumeration via timing side\u2011channel"}, "threat_synthesis": {"affected_systems": "Applications that use the Athroniaeth fastapi\u2011api\u2011key library and invoke verify_key() for authentication are affected. The vulnerability applies to all versions up to and including 1.1.0; systems running newer releases that incorporate the uniform random delay patch are considered fixed.", "description_and_impact": "FastAPI Api Key implements an API key authentication mechanism that, prior to the latest patch, introduced a timing side\u2011channel in the verify_key() function. The function applied a random delay only when verification failed, creating a measurable latency difference between valid and invalid keys. With repeated requests, an attacker could statistically distinguish valid key identifiers, enabling efficient brute\u2011force or enumeration attacks against the key space. The vulnerability falls under CWE\u2011208, which pertains to timing issues that expose sensitive information.", "risk_and_exploitability": "The CVSS score of 3.7 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely employ a statistical approach, sending many timed requests to map out valid vs. invalid keys. No elevated privileges or remote code execution are required; the impact is limited to information disclosure\u2014specifically, knowledge of valid key identifiers that could facilitate further credential\u2011based attacks."}}}}, "created": "2026-01-22T10:08:36.863370+00:00", "updated": "2026-04-18T15:45:04.262509+00:00", "vendors": ["athroniaeth", "athroniaeth$PRODUCT$fastapi-api-key"]}