CVE-2026-32879

Published: Mar 23, 2026

Modified: Mar 24, 2026

PUBLISHED

CVSS v3.1

4.9

MEDIUM

Description

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. As of time of publication, no known patched versions are available. Until a patched release is applied, do not rely on passkey as the step-up method for privileged secure-verification actions; require TOTP/2FA for those actions where operationally possible; or temporarily restrict access to affected secure-verification-protected endpoints.

Vendor	Product	Versions
QuantumNous	new-api	affected `>= 0.10.0, <= 0.11.9-alpha.1`

Weaknesses (CWE)

CWE-287

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/QuantumNous/new-api/security/advisories/GHSA-5353-f8fq-65vc

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-32879

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References