CVE-2026-32879: New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure

March 23, 2026

A logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion.

References

github.com/QuantumNous/new-api
github.com/QuantumNous/new-api/security/advisories/GHSA-5353-f8fq-65vc
github.com/advisories/GHSA-5353-f8fq-65vc
nvd.nist.gov/vuln/detail/CVE-2026-32879

Code Behaviors & Features

Detect and mitigate CVE-2026-32879 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →