CVE-2026-32879 is an improper authentication vulnerability (CWE-287) found in QuantumNous new-api, a platform that serves as a large language model (LLM) gateway and AI asset management system. Starting from version 0.10.0 up to 0.11.9-alpha.1, a logic flaw in the universal secure verification flow allows an authenticated user who possesses a registered passkey to bypass the required WebAuthn assertion step. Normally, WebAuthn assertions are a critical part of multi-factor or step-up authentication, ensuring that the user proves possession of a hardware or software authenticator. Due to this flaw, the system incorrectly accepts the presence of a registered passkey without verifying the actual WebAuthn assertion, effectively weakening the authentication process. This vulnerability compromises the confidentiality of privileged operations by allowing unauthorized access to secure-verification-protected endpoints without completing the full verification. The flaw does not affect integrity or availability and requires the attacker to be an authenticated user with a registered passkey, thus limiting the attack vector to insiders or compromised accounts. No patches are currently available, and the vendor has advised against relying on passkey-based step-up verification until a fix is released. Instead, organizations should enforce alternative second-factor methods such as TOTP or other 2FA mechanisms or restrict access to sensitive endpoints. The CVSS v3.1 score is 4.9 (medium), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact.

The vulnerability primarily impacts the confidentiality of sensitive operations protected by step-up authentication in QuantumNous new-api. Attackers who have authenticated access with a registered passkey can bypass the WebAuthn assertion, potentially gaining unauthorized access to privileged functions or sensitive AI asset management features. This could lead to exposure of confidential AI models, data, or operational controls. Since the flaw requires prior authentication with a registered passkey, the risk is higher for insider threats or compromised accounts. The absence of a patch increases the window of exposure. Organizations relying on passkey-based step-up verification for critical actions may face increased risk of unauthorized access, data leakage, or misuse of AI assets. The vulnerability does not affect system integrity or availability, so it is less likely to cause service disruption or data tampering. However, the confidentiality breach could have significant operational and reputational consequences, especially for organizations handling sensitive AI workloads or intellectual property.

Until a patched version is released, organizations should not rely on passkey-based step-up verification for privileged or sensitive operations in QuantumNous new-api. Instead, enforce alternative multi-factor authentication methods such as TOTP (Time-based One-Time Password) or other forms of 2FA that do not depend on the vulnerable WebAuthn flow. Temporarily restrict or disable access to endpoints protected by the affected secure-verification mechanism if operationally feasible. Implement strict monitoring and logging of authentication and authorization events to detect suspicious activities involving passkey usage. Conduct thorough account audits to identify and remediate compromised or suspicious accounts with registered passkeys. Educate users and administrators about the vulnerability and the importance of using strong, alternative authentication methods. Maintain close communication with QuantumNous for updates on patches or workarounds. Consider network segmentation and least privilege principles to limit the impact of any unauthorized access. Finally, prepare incident response plans to address potential exploitation scenarios.