CVE-2026-23996
Unknown Unknown - Not Provided
Timing Side-Channel Vulnerability in FastAPI Api Key Verification

Publication date: 2026-01-21

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks. All users relying on verify_key() for API key authentication prior to the fix are affected. Users should upgrade to version 1.1.0 to receive a patch. The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation. Some workarounds are available. Add an application-level fixed delay or random jitter to all authentication responses (success and failure) before the fix is applied and/or use rate limiting to reduce the feasibility of statistical timing attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23996
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
athroniaeth fastapi_api_key to 1.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a timing side-channel issue in the verify_key() function of FastAPI Api Key version 1.1.0. The function applied a random delay only when verification failed, which allowed attackers to measure response times and statistically determine whether an API key was valid or invalid. By making many repeated requests and analyzing the response latencies, an attacker could infer if a key_id corresponds to a valid key, potentially speeding up brute-force or enumeration attacks.

Impact Analysis

The vulnerability can allow an attacker to distinguish valid API keys from invalid ones by measuring response times, which can accelerate brute-force or enumeration attacks against your API keys. This could lead to unauthorized access if an attacker successfully guesses or enumerates valid keys. Users relying on verify_key() for API key authentication before the fix are affected.

Detection Guidance

This vulnerability can be detected by measuring response latencies to API key verification requests. An attacker can send repeated requests with different key_id values and statistically analyze the response times to distinguish valid keys from invalid ones. Specific commands are not provided in the available information.

Mitigation Strategies

Immediate mitigation steps include upgrading to FastAPI Api Key version 1.1.0 which applies a uniform random delay to all verification responses, eliminating timing side-channel leaks. Alternatively, before upgrading, you can add an application-level fixed delay or random jitter to all authentication responses (both success and failure) and/or implement rate limiting to reduce the feasibility of statistical timing attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23996. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart