CVE-2026-32879 Overview
CVE-2026-32879 is an authentication bypass vulnerability affecting New API, a large language model (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. This vulnerability could enable attackers to bypass step-up authentication controls designed to protect privileged operations.
Critical Impact
Authenticated attackers with registered passkeys can bypass WebAuthn assertion requirements, potentially gaining unauthorized access to privileged secure-verification-protected endpoints and sensitive AI asset management functions.
Affected Products
- New API versions 0.10.0 and later
- New API version 0.11.9-alpha1
- All New API deployments utilizing passkey-based secure verification
Discovery Timeline
- 2026-03-23 - CVE CVE-2026-32879 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-32879
Vulnerability Analysis
This vulnerability stems from improper authentication logic (CWE-287) within New API's secure verification workflow. The flaw exists in how the system validates WebAuthn assertions during privileged operations. When a user has a passkey registered with their account, the secure verification flow incorrectly treats the presence of a registered passkey as sufficient evidence of authentication, rather than requiring the user to complete the full WebAuthn assertion ceremony.
In a properly implemented WebAuthn flow, users must cryptographically prove possession of their private key by signing a challenge from the server. However, the logic flaw in New API allows the verification to be satisfied without this critical cryptographic proof step, effectively reducing the security of passkey-protected operations to mere passkey registration status checks.
The network-based attack vector requires no user interaction and can be exploited by any authenticated user who has previously registered a passkey, regardless of whether they have physical access to the authenticator device.
Root Cause
The root cause is a logic flaw in the universal secure verification flow that fails to enforce completion of the WebAuthn assertion ceremony. The verification logic incorrectly checks for passkey registration status rather than validating that a successful WebAuthn authentication has occurred. This represents a fundamental deviation from the WebAuthn specification, which requires cryptographic proof of authenticator possession.
Attack Vector
The attack exploits the network-accessible secure verification endpoints. An authenticated attacker with a registered passkey can craft requests to privileged endpoints that would normally require step-up authentication. By manipulating the verification flow or sending crafted requests that exploit the logic flaw, the attacker can bypass the WebAuthn assertion requirement entirely.
The vulnerability requires high privileges (authenticated user with registered passkey) but can be exploited without user interaction. The primary impact is confidentiality breach, as attackers may gain unauthorized access to sensitive data protected by secure verification controls.
Detection Methods for CVE-2026-32879
Indicators of Compromise
- Unusual patterns of successful secure verification events without corresponding WebAuthn assertion logs
- Access to privileged endpoints by users who have not completed proper multi-factor authentication
- Anomalous API calls to secure-verification-protected resources from accounts with registered passkeys
Detection Strategies
- Monitor authentication logs for secure verification completions that lack WebAuthn assertion events
- Implement correlation rules to detect privileged operations that bypass expected authentication steps
- Audit access patterns to AI asset management endpoints for unauthorized privileged actions
- Review WebAuthn assertion logs for gaps between passkey registration and actual assertion usage
Monitoring Recommendations
- Enable verbose logging for all secure verification flows and WebAuthn-related operations
- Establish baselines for normal authentication patterns and alert on deviations
- Monitor for increased access to privileged endpoints from accounts with registered passkeys
- Implement real-time alerting for authentication anomalies in the secure verification workflow
How to Mitigate CVE-2026-32879
Immediate Actions Required
- Do not rely on passkey as the step-up method for privileged secure-verification actions
- Require TOTP/2FA for privileged actions where operationally possible
- Temporarily restrict access to affected secure-verification-protected endpoints
- Review and audit all recent privileged operations that utilized passkey-based verification
Patch Information
As of the publication date, no known patched versions are available for CVE-2026-32879. Organizations should monitor the GitHub Security Advisory for updates on patch availability and implement the recommended workarounds until a fix is released.
Workarounds
- Disable passkey-only authentication for privileged secure verification operations
- Enforce TOTP or hardware token 2FA as an additional requirement for sensitive actions
- Implement network-level access controls to restrict access to affected endpoints
- Consider deploying a Web Application Firewall (WAF) rule to add additional verification layers
# Example: Restrict access to secure verification endpoints
# Add to reverse proxy configuration (nginx example)
location /api/secure-verification/ {
# Require additional authentication layer
auth_request /auth/verify-totp;
# Limit access to trusted networks during remediation
allow 10.0.0.0/8;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
