CVE-2026-23996

The Tell-Tale Delay: Timing Side-Channels in fastapi-api-key

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 21, 2026·5 min read·2 visits

Executive Summary (TL;DR)

The `fastapi-api-key` library (< 1.1.0) tried to prevent brute-forcing by adding a random delay (jitter) to failed requests. Crucially, it did *not* delay successful requests. This created a timing side-channel where valid API keys returned significantly faster than invalid ones. Attackers could exploit this asymmetry using statistical analysis to enumerate valid credentials. The fix involves applying the delay uniformly to both success and failure states.

A classic case of 'security features' creating security bugs. The fastapi-api-key library inadvertently created a timing oracle by applying rate-limiting jitter only to failed authentication attempts, allowing attackers to identify valid keys by measuring response speed.

Official Patches

AthroniaethGitHub Commit Diff
AthroniaethRelease 1.1.0 Notes

Fix Analysis (1)

Technical Appendix

CVSS Score
3.7/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Systems

Python FastAPI applications using fastapi-api-key < 1.1.0

Affected Versions Detail

Product
Affected Versions
Fixed Version
fastapi-api-key
Athroniaeth
< 1.1.01.1.0
AttributeDetail
CWE IDCWE-208
Attack VectorNetwork
CVSS Score3.7 (Low)
Attack ComplexityHigh
Privileges RequiredNone
Exploit StatusNone (No public exploit)

MITRE ATT&CK Mapping

T1595Active Scanning
Reconnaissance
T1110Brute Force
Credential Access
CWE-208
Observable Timing Discrepancy

The product provides information about the state of a secret or sensitive operation through a timing discrepancy that is observable to an attacker.

Vulnerability Timeline

Vulnerability Disclosed
2026-01-21
Patch 1.1.0 Released
2026-01-21
GHSA Advisory Published
2026-01-21

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.