{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32879", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.420Z", "datePublished": "2026-03-23T19:24:16.336Z", "dateUpdated": "2026-03-24T15:13:22.246Z"}, "containers": {"cna": {"title": "New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-5353-f8fq-65vc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-5353-f8fq-65vc"}], "affected": [{"vendor": "QuantumNous", "product": "new-api", "versions": [{"version": ">= 0.10.0, <= 0.11.9-alpha.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T19:24:16.336Z"}, "descriptions": [{"lang": "en", "value": "New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. As of time of publication, no known patched versions are available. Until a patched release is applied, do not rely on passkey as the step-up method for privileged secure-verification actions; require TOTP/2FA for those actions where operationally possible; or temporarily restrict access to affected secure-verification-protected endpoints."}], "source": {"advisory": "GHSA-5353-f8fq-65vc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:43:16.316975Z", "id": "CVE-2026-32879", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:13:22.246Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32879", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T14:43:16.316975Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:43:22.766Z"}}], "cna": {"title": "New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure", "source": {"advisory": "GHSA-5353-f8fq-65vc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "QuantumNous", "product": "new-api", "versions": [{"status": "affected", "version": ">= 0.10.0, <= 0.11.9-alpha.1"}]}], "references": [{"url": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-5353-f8fq-65vc", "name": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-5353-f8fq-65vc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. As of time of publication, no known patched versions are available. Until a patched release is applied, do not rely on passkey as the step-up method for privileged secure-verification actions; require TOTP/2FA for those actions where operationally possible; or temporarily restrict access to affected secure-verification-protected endpoints."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T19:24:16.336Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32879", "state": "PUBLISHED", "dateUpdated": "2026-03-24T15:13:22.246Z", "dateReserved": "2026-03-16T21:03:44.420Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T19:24:16.336Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:newapi:new_api:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF65AC0F-AAD5-448C-9518-09F014D43036", "versionEndExcluding": "0.11.9", "versionStartIncluding": "0.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:newapi:new_api:0.11.9:alpha1:*:*:*:*:*:*", "matchCriteriaId": "33AF3DD3-4364-45D6-A2EB-775B5AAB406B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. As of time of publication, no known patched versions are available. Until a patched release is applied, do not rely on passkey as the step-up method for privileged secure-verification actions; require TOTP/2FA for those actions where operationally possible; or temporarily restrict access to affected secure-verification-protected endpoints."}, {"lang": "es", "value": "Nueva API es una pasarela de modo de lenguaje grande (LLM) y un sistema de gesti\u00f3n de activos de inteligencia artificial (IA). A partir de la versi\u00f3n 0.10.0, una falla l\u00f3gica en el flujo de verificaci\u00f3n segura universal permite a un usuario autenticado con una clave de acceso (passkey) registrada satisfacer la verificaci\u00f3n segura sin completar una aserci\u00f3n WebAuthn. A la fecha de publicaci\u00f3n, no hay versiones parcheadas conocidas disponibles. Hasta que se aplique una versi\u00f3n parcheada, no conf\u00ede en la clave de acceso (passkey) como m\u00e9todo de elevaci\u00f3n para acciones privilegiadas de verificaci\u00f3n segura; requiera TOTP/2FA para esas acciones donde sea operacionalmente posible; o restrinja temporalmente el acceso a los puntos finales afectados protegidos por verificaci\u00f3n segura."}], "id": "CVE-2026-32879", "lastModified": "2026-03-25T17:52:28.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T20:16:27.373", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-5353-f8fq-65vc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.10.0,0.11.9-alpha.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "new-api", "source": "cna", "vendor": "QuantumNous"}, "product": "new-api", "vendor": "quantumnous"}], "analysis": {"en": {"generated_at": "2026-03-25T20:31:05.641783+00:00", "value": {"mitigation_remediation": ["Enforce TOTP or 2FA for privileged secure-verification actions until a patched release is issued", "Restrict access to secure-verification-protected endpoints from untrusted users or networks", "Contact QuantumNous for an updated release or further guidance", "Monitor authentication logs for repeated attempts to bypass passkey verification"], "summary": {"action": "Apply Workaround", "impact": "Privilege escalation via step-up verification bypass"}, "threat_synthesis": {"affected_systems": "QuantumNous new-api, versions 0.10.0 and newer, including the 0.11.9-alpha1 release, are affected. All deployments that use the passkey as a step-up verification method for privileged secure-verification actions are impacted, irrespective of deployment scale.", "description_and_impact": "A logic flaw in the universal secure verification flow of the New API allows an authenticated user who has a registered passkey to satisfy secure verification without completing the WebAuthn assertion. This bypasses the mandatory biometrics or hardware-based challenge, enabling the user to perform privileged actions normally protected by step-up verification, potentially exposing root-only channel secrets. The vulnerability is an authentication bypass (CWE-287) and does not confer remote code execution but permits unauthorized privileged operations.", "risk_and_exploitability": "The CVSS base score is 4.9, indicating moderate severity. The EPSS score is reported as less than 1% and the vulnerability is not listed in CISA's KEV catalog, suggesting a low exploitation likelihood. The flaw is exploitable only by users who have already authenticated and possess a valid passkey, limiting the scope to compromised or insider accounts. No public exploits or zero-day proof-of-concepts are currently documented. Based on the description, the likely attack vector is a privilege escalation via step-up verification bypass."}}}}, "created": "2026-03-24T10:32:59.375613+00:00", "updated": "2026-03-25T20:36:49.024301+00:00", "vendors": ["quantumnous", "quantumnous$PRODUCT$new-api"]}