cvedb.io
CVE-2026-23996
LOW · CVSS 3.7
EPSS exploitation probability: 0%
Published 2026-01-21T23:15:53.090 · Last modified 2026-06-17T10:22:26.950

Summary

FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks. All users relying on verify_key() for API key authentication prior to the fix are affected. Users should upgrade to version 1.1.0 to receive a patch. The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation. Some workaroun

Affected products

athroniaeth — fastapi_api_key

Does this affect you?

Add your gear to cvedb and we'll alert you only when athroniaeth ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.