Vulnerability Details CVE-2026-32879
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. As of time of publication, no known patched versions are available. Until a patched release is applied, do not rely on passkey as the step-up method for privileged secure-verification actions; require TOTP/2FA for those actions where operationally possible; or temporarily restrict access to affected secure-verification-protected endpoints.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 7.0%
CVSS Severity
CVSS v3 Score 4.9
Products affected by CVE-2026-32879
-
cpe:2.3:a:newapi:new_api:0.10.0
-
cpe:2.3:a:newapi:new_api:0.10.1
-
cpe:2.3:a:newapi:new_api:0.10.2
-
cpe:2.3:a:newapi:new_api:0.10.3
-
cpe:2.3:a:newapi:new_api:0.10.4
-
cpe:2.3:a:newapi:new_api:0.10.5
-
cpe:2.3:a:newapi:new_api:0.10.6
-
cpe:2.3:a:newapi:new_api:0.10.7
-
cpe:2.3:a:newapi:new_api:0.10.8
-
cpe:2.3:a:newapi:new_api:0.10.9
-
cpe:2.3:a:newapi:new_api:0.11.0
-
cpe:2.3:a:newapi:new_api:0.11.9