Skip to main content

Suse EUVDEUVD-2026-14522

| CVE-2026-32879 MEDIUM
Improper Authentication (CWE-287)
2026-03-23 GitHub_M GHSA-5353-f8fq-65vc
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 23, 2026 - 19:45 euvd
EUVD-2026-14522
Analysis Generated
Mar 23, 2026 - 19:45 vuln.today
CVE Published
Mar 23, 2026 - 19:24 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. As of time of publication, no known patched versions are available. Until a patched release is applied, do not rely on passkey as the step-up method for privileged secure-verification actions; require TOTP/2FA for those actions where operationally possible; or temporarily restrict access to affected secure-verification-protected endpoints.

AnalysisAI

A logic flaw in New API's universal secure verification flow allows authenticated users with registered passkeys to bypass WebAuthn assertion completion, effectively circumventing step-up authentication for privileged actions. This affects New API versions 0.10.0 and later, enabling authenticated attackers with passkey enrollment to access sensitive functionality without completing proper cryptographic verification. No patched versions are currently available, making this an unresolved authentication bypass affecting all current deployments.

Technical ContextAI

New API (QuantumNous/new-api) is an LLM gateway and AI asset management system that implements WebAuthn-based passkey authentication as a second factor for privileged operations. The vulnerability resides in CWE-287 (Improper Authentication), specifically in the secure verification workflow logic that validates passkey attestation. Rather than requiring completion of a WebAuthn assertion challenge-response cycle, the flawed logic permits authenticated users to satisfy the verification requirement through an incomplete or bypassed assertion flow. This affects the CPE cpe:2.3:a:quantumnous:new-api:*:*:*:*:*:*:*:* across all versions from 0.10.0 forward, impacting the cryptographic validation layer that should enforce multi-factor authentication for sensitive operations.

RemediationAI

A permanent patch is not yet available for New API. Until a patched release is published, implement the following compensating controls: (1) do not rely on passkey as the sole step-up authentication method for privileged secure-verification actions; (2) require TOTP or hardware-based 2FA (such as time-based one-time passwords or hardware security keys with independent attestation) for all sensitive operations where operationally feasible; (3) temporarily restrict network access to affected secure-verification-protected endpoints to trusted administrative ranges or use reverse proxy authentication in front of the gateway; (4) monitor authentication logs for passkey-based verification attempts and cross-correlate with sensitive action logs to detect exploitation attempts. Subscribe to the GitHub Security Advisory (https://github.com/QuantumNous/new-api/security/advisories/GHSA-5353-f8fq-65vc) for patch availability notifications.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

EUVD-2026-14522 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy