Publish GHSA-95c6-p277-p87g

advisory-database[bot] · advisory-database[bot] · commit f55118874d1f · 2026-01-21T22:29:13.000Z
diff --git a/advisories/github-reviewed/2026/01/GHSA-95c6-p277-p87g/GHSA-95c6-p277-p87g.json b/advisories/github-reviewed/2026/01/GHSA-95c6-p277-p87g/GHSA-95c6-p277-p87g.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-95c6-p277-p87g",
+  "modified": "2026-01-21T22:27:39Z",
+  "published": "2026-01-21T22:27:39Z",
+  "aliases": [
+    "CVE-2026-23996"
+  ],
+  "summary": "FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detection",
+  "details": "### Impact\nTiming side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks.\n\nAffected: all users relying on verify_key() for API key authentication prior to the fix.\n\n### Patches\nYes. Users should upgrade to version 1.1.0 (or the version containing this fix). The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation.\n\n### Workarounds\n- Add an application-level fixed delay or random jitter to all authentication responses (success and failure) before the fix is applied.\n- Use rate limiting to reduce the feasibility of statistical timing attacks.\n\n### References\n- CWE-208: Observable Timing Discrepancy\n- Commit: 87b27640f77c5ef86c46311b6b5a7e2887e35b77\n- OWASP: https://owasp.org/www-community/attacks/Timing_attack",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "fastapi-api-key"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.1.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Athroniaeth/fastapi-api-key/security/advisories/GHSA-95c6-p277-p87g"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Athroniaeth/fastapi-api-key/commit/310b2c5c77305f38c63c0b917539a0344071dfd8"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Athroniaeth/fastapi-api-key"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Athroniaeth/fastapi-api-key/releases/tag/1.1.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-208"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-21T22:27:39Z",
+    "nvd_published_at": null
+  }
+}
