Skip to main content

Apache APISIX CVE-2026-39999

| EUVDEUVD-2026-38013 HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-06-19 apache GHSA-pw26-hvcp-w6vj
7.0
CVSS 4.0 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.7 HIGH

Network-reachable bypass requiring a specific jwt-auth config (AC:H) with no auth or interaction; scope changes to backend (S:C) yielding high confidentiality and integrity impact, no availability effect.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 14:17 vuln.today
CVE Published
Jun 19, 2026 - 13:07 cve.org
HIGH 7.0

DescriptionCVE.org

Authentication Bypass by Spoofing vulnerability in Apache APISIX.

The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0.

Users are recommended to upgrade to version v3.17.0, which fixes the issue.

AnalysisAI

Authentication bypass in Apache APISIX versions 2.2 through 3.16.0 allows remote attackers to circumvent authentication enforced by the jwt-auth plugin under certain configurations, granting unauthorized access to APIs that should require a valid JWT. The flaw stems from spoofable identity assertions (CWE-290) in the plugin's verification logic, and at time of analysis there is no public exploit identified, but the wide affected version range and gateway role make it operationally significant.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify APISIX gateway with jwt-auth route
Delivery
Craft spoofed JWT matching vulnerable config
Exploit
Send request to protected endpoint
Execution
Plugin accepts forged token
Persist
Gateway proxies request as authenticated consumer
Impact
Access or manipulate backend API data

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) an Apache APISIX instance in the range v2.2 through v3.16.0, (2) at least one route configured with the jwt-auth plugin, and (3) that plugin configured in the specific vulnerable shape referenced by the advisory (the Apache thread is the authoritative source for which option combinations trigger the bypass - likely involving algorithm selection or consumer-claim handling). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N) describes a network-reachable, unauthenticated, low-complexity attack with a present Attack Requirement (AT:P) - consistent with the description's 'certain configurations' qualifier - and notably sets vulnerable-system impacts VC/VI/VA to None while raising subsequent-system SC:H/SI:H, modeling the gateway as a pass-through whose compromise impacts the protected backends rather than APISIX itself, which is a defensible but unusual scoring choice security teams should sanity-check against their own threat model. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the internet sends an HTTP request directly to an APISIX route protected by jwt-auth, supplying a crafted or spoofed JWT (for example with a manipulated header, claim, or algorithm) that the vulnerable plugin configuration accepts as valid. APISIX then proxies the request to the backend as if the attacker were an authenticated consumer, giving access to APIs and data that should have required a legitimate token; no public exploit is identified at time of analysis, but the conditions are reproducible from the advisory description.
Remediation Vendor-released patch: Apache APISIX v3.17.0 - upgrade all gateway instances per the Apache advisory at https://lists.apache.org/thread/nfopt8cnxd3k0rs1oxtr7lzxrdw4mojq. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all APISIX deployments to identify affected versions (2.2-3.16.0) and confirm jwt-auth plugin status; enable detailed access logging on protected API endpoints to establish baseline and detect anomalies. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-47341 MEDIUM
6.3 Jun 19

HMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hma

CVE-2026-49230 MEDIUM
6.3 Jun 19

Authentication bypass in Apache APISIX's jwe-decrypt plugin (versions 3.8.0 through 3.16.0) allows unauthenticated netwo

CVE-2026-39998 MEDIUM
5.8 Jun 19

Identity header spoofing in Apache APISIX versions 2.12.0 through 3.16.0 allows a low-privileged network attacker to man

CVE-2026-49872 MEDIUM
5.3 Jun 19

Authentication bypass in Apache APISIX 3.0.0 through 3.16.0 allows a network-accessible attacker holding valid credentia

CVE-2026-47339 MEDIUM
5.3 Jun 19

Incorrect authorization in the Apache APISIX authz-casdoor plugin allows a network-authenticated attacker to cross-authe

CVE-2026-44087 MEDIUM
5.3 Jun 19

Identity header spoofing in Apache APISIX's openid-connect plugin (versions 2.3 through 3.16.0) enables low-privileged n

CVE-2026-49231 LOW
2.3 Jun 19

Identity header spoofing in the Apache APISIX OPA (Open Policy Agent) plugin allows low-privileged network attackers to

CVE-2026-44046 LOW
2.3 Jun 19

The wolf-rbac plugin in Apache APISIX 1.2.0 through 3.16.0 trusts client-controlled identity and IP data under its defau

CVE-2026-48895 LOW
2.1 Jun 19

Open redirect in Apache APISIX 3.0.0 through 3.16.0 enables unauthenticated remote attackers to manipulate specific HTTP

CVE-2026-44915 LOW
2.1 Jun 19

Open redirect in Apache APISIX's cas-auth plugin exposes users to phishing and credential theft when the plugin is used

CVE-2026-49871 LOW
2.1 Jun 19

The cas-auth plugin in Apache APISIX 3.0.0-3.16.0 enables identity substitution via CSRF under its default configuration

Share

CVE-2026-39999 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy