CVE-2026-23996

Name of the Vulnerable Software and Affected Versions FastAPI Api Key versions prior to 1.1.0

Description The verify key() function in FastAPI Api Key contains a timing side-channel that allows an attacker to differentiate between valid and invalid API keys by measuring response latencies. The method initially applied a random delay only on verification failures. By repeatedly sending requests, an adversary could potentially determine if a key id is valid, which could speed up brute-force or enumeration attacks. The affected component is the verify key() function.

Recommendations Upgrade to version 1.1.0 or later to apply the patch, which introduces a uniform random delay to all responses, eliminating the timing correlation. Add an application-level fixed delay or random jitter to all authentication responses (success and failure) as a temporary workaround. Implement rate limiting to reduce the feasibility of statistical timing attacks.