CVE-2026-32879 — Vulnetix

CVE-2026-32879 PUBLISHED

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. As of time of publication, no known patched versions are available. Until a patched release is applied, do not rely on passkey as the step-up method for privileged secure-verification actions; require TOTP/2FA for those actions where operationally possible; or temporarily restrict access to affected secure-verification-protected endpoints.

EPSS 0.03% · 7.0th percentile

Risk Scores

EPSS Score

0.03%

7.0th percentile

Affected Products

Vendor	Product	Versions
newapi	new_api	0.11.9, 0.10.0, 0.11.9
QuantumNous	new-api	>= 0.10.0, <= 0.11.9-alpha.1, >= 0.10.0, <= 0.11.9-alpha.1
github.com	QuantumNous/new-api	0.10.0, 0.10.0

Timeline

Mar 23, 2026 CVE Published
Mar 23, 2026 PoC Published
Mar 23, 2026 PoC Published
Mar 23, 2026 Security Advisory
Mar 24, 2026 EPSS Score
Mar 25, 2026 EPSS Score
Mar 25, 2026 Coalition ESS Score
Mar 30, 2026 CVE Updated

References

Open in Interactive Console →