Login Sign Up

CVE-2026-23996

3.7 LOW
Authentication Bypass

📋 TL;DR

FastAPI API Key version 1.1.0 has a timing side-channel vulnerability in verify_key() that allows attackers to statistically distinguish valid from invalid API keys by measuring response latencies. This could accelerate brute-force or enumeration attacks against API key authentication. All users relying on verify_key() for authentication prior to the fix are affected.

💻 Affected Systems

Products:
  • FastAPI API Key
Versions: Versions prior to 1.1.0
Operating Systems: all
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using verify_key() for API key authentication.

📦 What is this software?

Fastapi Api Key by Athroniaeth

View all CVEs affecting Fastapi Api Key →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could enumerate valid API keys through timing analysis, leading to unauthorized API access, data breaches, or account takeover.

🟠

Likely Case

Attackers could identify valid key IDs through statistical timing analysis, reducing the search space for brute-force attacks.

🟢

If Mitigated

With proper controls, attackers would need significantly more requests to achieve statistical significance, making attacks impractical.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires statistical analysis of timing data from many requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.0

Vendor Advisory: https://github.com/Athroniaeth/fastapi-api-key/security/advisories/GHSA-95c6-p277-p87g

Restart Required: No

Instructions:

1. Update FastAPI API Key package to version 1.1.0 or later. 2. Verify the update was successful. 3. Test authentication functionality.

🔧 Temporary Workarounds

Add application-level timing protection

all

Add fixed delay or random jitter to all authentication responses (success and failure)

Implementation depends on application framework

Implement rate limiting

all

Limit authentication attempts to reduce feasibility of statistical timing attacks

Implementation depends on application framework

🧯 If You Can't Patch

  • Implement strict rate limiting on authentication endpoints
  • Add uniform random delays to all authentication responses

🔍 How to Verify

Check if Vulnerable:

Check if using FastAPI API Key version prior to 1.1.0 and using verify_key() for authentication

Check Version:

pip show fastapi-api-key | grep Version

Verify Fix Applied:

Verify FastAPI API Key version is 1.1.0 or later

📡 Detection & Monitoring

Log Indicators:

  • Unusually high volume of authentication requests
  • Requests with varying API keys from same source

Network Indicators:

  • High volume of authentication requests with timing patterns
  • Requests to authentication endpoints with varying parameters

SIEM Query:

source_ip:* AND (endpoint:"/auth" OR endpoint:"/authenticate") AND count > 1000 per hour

📊 Metadata

CVE ID: CVE-2026-23996
CVSS v3 Score: 3.7 (LOW)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-208
EPSS Score: 0.05% exploit probability (13.6th percentile)
Published: January 21, 2026
Last Updated: February 27, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23996, you might also want to check these:

CVE-2026-23519 9.8

This vulnerability in RustCrypto CMOV allows timing side-channel attacks on cryptographic operations...

Same vulnerability type (CWE-208)
CVE-2021-43298 9.8

CVE-2021-43298 is a timing attack vulnerability in GoAhead web server's HTTP Basic authentication im...

Same vulnerability type (CWE-208)
CVE-2024-29995 8.1

This vulnerability allows an authenticated attacker to elevate privileges on Windows systems by expl...

Same vulnerability type (CWE-208)