SCA: security update for fastapi-api-key (GHSA-95c6-p277-p87g)

low Tenable Cloud Security Plugin ID 436880

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a
timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification
failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring
response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds
to a valid key, potentially accelerating brute-force or enumeration attacks. All users relying on
verify_key() for API key authentication prior to the fix are affected. Users should upgrade to version
1.1.0 to receive a patch. The patch applies a uniform random delay (min_delay to max_delay) to all
responses regardless of outcome, eliminating the timing correlation. Some workarounds are available. Add
an application-level fixed delay or random jitter to all authentication responses (success and failure)
before the fix is applied and/or use rate limiting to reduce the feasibility of statistical timing
attacks. (CVE-2026-23996)

See Also

https://github.com/advisories/GHSA-95c6-p277-p87g

Plugin Details

Severity: Low

ID: 436880

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/22/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Low

Base Score: 2.6

Temporal Score: 1.9

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2026-23996

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/21/2026

Vulnerability Publication Date: 1/21/2026

Reference Information

CVE: CVE-2026-23996

cwe: CWE-208