Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. As of time of publication, no known patched versions are available. Until a patched release is applied, do not rely on passkey as the step-up method for privileged secure-verification actions; require TOTP/2FA for those actions where operationally possible; or temporarily restrict access to affected secure-verification-protected endpoints.
Published: 2026-03-23
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation via step-up verification bypass
Action: Apply Workaround
AI Analysis

Impact

A logic flaw in the universal secure verification flow of the New API allows an authenticated user who has a registered passkey to satisfy secure verification without completing the WebAuthn assertion. This bypasses the mandatory biometrics or hardware-based challenge, enabling the user to perform privileged actions normally protected by step-up verification, potentially exposing root-only channel secrets. The vulnerability is an authentication bypass (CWE-287) and does not confer remote code execution but permits unauthorized privileged operations.

Affected Systems

QuantumNous new-api, versions 0.10.0 and newer, including the 0.11.9-alpha1 release, are affected. All deployments that use the passkey as a step-up verification method for privileged secure-verification actions are impacted, irrespective of deployment scale.

Risk and Exploitability

The CVSS base score is 4.9, indicating moderate severity. The EPSS score is reported as less than 1% and the vulnerability is not listed in CISA's KEV catalog, suggesting a low exploitation likelihood. The flaw is exploitable only by users who have already authenticated and possess a valid passkey, limiting the scope to compromised or insider accounts. No public exploits or zero-day proof-of-concepts are currently documented. Based on the description, the likely attack vector is a privilege escalation via step-up verification bypass.

Generated by OpenCVE AI on March 25, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Enforce TOTP or 2FA for privileged secure-verification actions until a patched release is issued
  • Restrict access to secure-verification-protected endpoints from untrusted users or networks
  • Contact QuantumNous for an updated release or further guidance
  • Monitor authentication logs for repeated attempts to bypass passkey verification

Generated by OpenCVE AI on March 25, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5353-f8fq-65vc New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure
History

Wed, 25 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Newapi
Newapi new Api
CPEs cpe:2.3:a:newapi:new_api:*:*:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.11.9:alpha1:*:*:*:*:*:*
Vendors & Products Newapi
Newapi new Api

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Quantumnous
Quantumnous new-api
Vendors & Products Quantumnous
Quantumnous new-api

Mon, 23 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. As of time of publication, no known patched versions are available. Until a patched release is applied, do not rely on passkey as the step-up method for privileged secure-verification actions; require TOTP/2FA for those actions where operationally possible; or temporarily restrict access to affected secure-verification-protected endpoints.
Title New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Newapi New Api
Quantumnous New-api
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T15:13:22.246Z

Reserved: 2026-03-16T21:03:44.420Z

Link: CVE-2026-32879

cve-icon Vulnrichment

Updated: 2026-03-24T14:43:22.766Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T20:16:27.373

Modified: 2026-03-25T17:52:28.520

Link: CVE-2026-32879

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:49Z

Weaknesses