Description
FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks. All users relying on verify_key() for API key authentication prior to the fix are affected. Users should upgrade to version 1.1.0 to receive a patch. The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation. Some workarounds are available. Add an application-level fixed delay or random jitter to all authentication responses (success and failure) before the fix is applied and/or use rate limiting to reduce the feasibility of statistical timing attacks.
Published: 2026-01-21
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: API key enumeration via timing side‑channel
Action: Patch Immediately
AI Analysis

Impact

FastAPI Api Key implements an API key authentication mechanism that, prior to the latest patch, introduced a timing side‑channel in the verify_key() function. The function applied a random delay only when verification failed, creating a measurable latency difference between valid and invalid keys. With repeated requests, an attacker could statistically distinguish valid key identifiers, enabling efficient brute‑force or enumeration attacks against the key space. The vulnerability falls under CWE‑208, which pertains to timing issues that expose sensitive information.

Affected Systems

Applications that use the Athroniaeth fastapi‑api‑key library and invoke verify_key() for authentication are affected. The vulnerability applies to all versions up to and including 1.1.0; systems running newer releases that incorporate the uniform random delay patch are considered fixed.

Risk and Exploitability

The CVSS score of 3.7 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely employ a statistical approach, sending many timed requests to map out valid vs. invalid keys. No elevated privileges or remote code execution are required; the impact is limited to information disclosure—specifically, knowledge of valid key identifiers that could facilitate further credential‑based attacks.

Generated by OpenCVE AI on April 18, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Athroniaeth fastapi‑api‑key to version 1.1.0 or later to apply the uniform random delay patch.
  • If an immediate upgrade is not feasible, add a fixed or random jitter to all authentication responses (both success and failure) before the fix is applied.
  • Implement rate limiting on the authentication endpoint to reduce the feasibility of statistical timing attacks.
  • Monitor authentication logs for anomalous patterns that may indicate key enumeration attempts.

Generated by OpenCVE AI on April 18, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-95c6-p277-p87g FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detection
History

Fri, 27 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Athroniaeth fastapi Api Key
CPEs cpe:2.3:a:athroniaeth:fastapi_api_key:*:*:*:*:*:python:*:*
Vendors & Products Athroniaeth fastapi Api Key

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Athroniaeth
Athroniaeth fastapi-api-key
Vendors & Products Athroniaeth
Athroniaeth fastapi-api-key

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 22:45:00 +0000

Type Values Removed Values Added
Description FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks. All users relying on verify_key() for API key authentication prior to the fix are affected. Users should upgrade to version 1.1.0 to receive a patch. The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation. Some workarounds are available. Add an application-level fixed delay or random jitter to all authentication responses (success and failure) before the fix is applied and/or use rate limiting to reduce the feasibility of statistical timing attacks.
Title FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detection
Weaknesses CWE-208
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Athroniaeth Fastapi-api-key Fastapi Api Key
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T16:49:16.733Z

Reserved: 2026-01-19T18:49:20.658Z

Link: CVE-2026-23996

cve-icon Vulnrichment

Updated: 2026-01-22T15:09:25.177Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T23:15:53.090

Modified: 2026-02-27T14:52:40.820

Link: CVE-2026-23996

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses