CVE-2026-32879

MEDIUM EPSS 20.6%

Published Mar 23, 20263mo ago · Modified Jun 17, 20261w ago

4.9 CVSS 3.1

Medium

Published Mar 23, 2026 3mo ago

Last Modified Jun 17, 2026 1w ago

Description

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. As of time of publication, no known patched versions are available. Until a patched release is applied, do not rely on passkey as the step-up method for privileged secure-verification actions; require TOTP/2FA for those actions where operationally possible; or temporarily restrict access to affected secure-verification-protected endpoints.

CVSS Details

Base Score

4.9

Exploitability

1.2

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope Unchanged

Confidentiality High

Integrity None

Availability None

Threat Intelligence

EPSS Exploit Probability

20.6% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-287 Improper Authentication Authentication

Affected Products 2

Vendor	Product	Version	Range
newapi	new_api	*	≥0.10.0 – <0.11.9
newapi	new_api	0.11.9	any

References 1

github.com https://github.com/QuantumNous/new-api/security/advisories/GHSA-5353-f8fq-65vc

MitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.