CVE-2026-23996: The Tell-Tale Delay: Timing Side-Channels in fastapi-api-key

#security #cve #cybersecurity

The Tell-Tale Delay: Timing Side-Channels in fastapi-api-key

Vulnerability ID: CVE-2026-23996
CVSS Score: 3.7
Published: 2026-01-21

A classic case of 'security features' creating security bugs. The fastapi-api-key library inadvertently created a timing oracle by applying rate-limiting jitter only to failed authentication attempts, allowing attackers to identify valid keys by measuring response speed.

TL;DR

The fastapi-api-key library (< 1.1.0) tried to prevent brute-forcing by adding a random delay (jitter) to failed requests. Crucially, it did not delay successful requests. This created a timing side-channel where valid API keys returned significantly faster than invalid ones. Attackers could exploit this asymmetry using statistical analysis to enumerate valid credentials. The fix involves applying the delay uniformly to both success and failure states.

Technical Details

CWE ID: CWE-208
Attack Vector: Network
CVSS Score: 3.7 (Low)
Attack Complexity: High
Privileges Required: None
Exploit Status: None (No public exploit)

Affected Systems

Python FastAPI applications using fastapi-api-key < 1.1.0
fastapi-api-key: < 1.1.0 (Fixed in: 1.1.0)

Code Analysis

Commit: 310b2c5

Fix timing side-channel by applying delay to all paths

@@ -14,10 +14,10 @@
     try:
-        return await self._verify_key(api_key, required_scopes)
+        result = await self._verify_key(api_key, required_scopes)
     except Exception as e:
-        wait = self._system_random.uniform(self.rrd, self.rrd * 2)
-        await asyncio.sleep(wait)
+        await self._apply_delay()
         raise e

+    await self._apply_delay()
+    return result

Mitigation Strategies

Upgrade to version 1.1.0 which applies uniform jitter.
Implement constant-time authentication wrappers where possible.
Use aggressive rate limiting to disrupt statistical timing analysis.

Remediation Steps:

Update dependencies: pip install --upgrade fastapi-api-key
Verify installed version is >= 1.1.0
Review application logs for patterns of high-frequency 401/403 responses.

References

Read the full report for CVE-2026-23996 on our website for more details including interactive diagrams and full exploit analysis.

DEV Community