New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure
Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. As of time of publication, no known patched versions are available. Until a patched release is applied, do not rely on passkey as the step-up method for privileged secure-verification actions; require TOTP/2FA for those actions where operationally possible; or temporarily restrict access to affected secure-verification-protected endpoints.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/QuantumNous/new-apiGo | >= 0.10.0, <= 0.11.9-alpha.1 | — |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/quantumnous/new-apipkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 0.10.0, <= 0.11.9-alpha.1+ 1 more
- (no CPE)range: >= 0.10.0, <= 0.11.9-alpha.1
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
- Range: >= 0.10.0, <= 0.11.9-alpha.1
Patches
Vulnerability mechanics
References
2- github.com/advisories/GHSA-5353-f8fq-65vcghsaADVISORY
- github.com/QuantumNous/new-api/security/advisories/GHSA-5353-f8fq-65vcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.