CVE-2026-32879

Name of the Vulnerable Software and Affected Versions New API versions 0.10.0 and later

Description A flaw exists in the universal secure verification flow, allowing an authenticated user with a registered passkey to bypass the WebAuthn assertion requirement. This issue affects actions protected by SecureVerificationRequired(). Specifically, the POST /api/verify endpoint, when receiving a request with {"method":"passkey"}, only verifies the existence of a registered passkey, failing to validate a completed WebAuthn assertion. This can lead to unauthorized access to sensitive information, such as channel secrets via the POST /api/channel/:id/key endpoint. Successful exploitation requires an existing authenticated session and a registered passkey.

Recommendations For versions 0.10.0 and later, do not rely on passkey as the step-up method for privileged secure-verification actions. Require TOTP/2FA for privileged secure-verification actions where possible. Temporarily restrict access to affected secure-verification-protected endpoints.