1  info:
 2    name: new-api
 3    cve: CVE-2026-32879
 4    summary: New API Passkey Secure Verification Bypass - Root-only channel secret disclosure
 5    details: >-
 6      New API LLM gateway starting from v0.10.0 contains a logic flaw in the universal secure
 7      verification flow. An authenticated user with a registered passkey can satisfy step-up
 8      secure verification without actually completing a WebAuthn assertion challenge.
 9      This bypass allows an attacker with a valid account and any registered passkey to access
10      root-only privileged operations such as viewing channel secrets (API keys for upstream
11      AI providers), leading to credential disclosure. As of disclosure, no patched version
12      is available. The vulnerability affects all deployments with passkey authentication enabled.
13    cvss: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
14    severity: MEDIUM
15    security_advise: Disable passkey as the step-up verification method for privileged secure-verification
16      actions until a patched release is available. Monitor for unauthorized access to channel secrets.
17    references:
18      - https://github.com/QuantumNous/new-api/security/advisories/GHSA-5353-f8fq-65vc
19      - https://github.com/advisories/GHSA-5353-f8fq-65vc
20  rule: version >= "0.10.0"
21  references:
22    - https://github.com/QuantumNous/new-api/security/advisories/GHSA-5353-f8fq-65vc