Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable bypass requiring a specific jwt-auth config (AC:H) with no auth or interaction; scope changes to backend (S:C) yielding high confidentiality and integrity impact, no availability effect.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Authentication Bypass by Spoofing vulnerability in Apache APISIX.
The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0.
Users are recommended to upgrade to version v3.17.0, which fixes the issue.
AnalysisAI
Authentication bypass in Apache APISIX versions 2.2 through 3.16.0 allows remote attackers to circumvent authentication enforced by the jwt-auth plugin under certain configurations, granting unauthorized access to APIs that should require a valid JWT. The flaw stems from spoofable identity assertions (CWE-290) in the plugin's verification logic, and at time of analysis there is no public exploit identified, but the wide affected version range and gateway role make it operationally significant.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) an Apache APISIX instance in the range v2.2 through v3.16.0, (2) at least one route configured with the jwt-auth plugin, and (3) that plugin configured in the specific vulnerable shape referenced by the advisory (the Apache thread is the authoritative source for which option combinations trigger the bypass - likely involving algorithm selection or consumer-claim handling). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N) describes a network-reachable, unauthenticated, low-complexity attack with a present Attack Requirement (AT:P) - consistent with the description's 'certain configurations' qualifier - and notably sets vulnerable-system impacts VC/VI/VA to None while raising subsequent-system SC:H/SI:H, modeling the gateway as a pass-through whose compromise impacts the protected backends rather than APISIX itself, which is a defensible but unusual scoring choice security teams should sanity-check against their own threat model. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the internet sends an HTTP request directly to an APISIX route protected by jwt-auth, supplying a crafted or spoofed JWT (for example with a manipulated header, claim, or algorithm) that the vulnerable plugin configuration accepts as valid. APISIX then proxies the request to the backend as if the attacker were an authenticated consumer, giving access to APIs and data that should have required a legitimate token; no public exploit is identified at time of analysis, but the conditions are reproducible from the advisory description. |
| Remediation | Vendor-released patch: Apache APISIX v3.17.0 - upgrade all gateway instances per the Apache advisory at https://lists.apache.org/thread/nfopt8cnxd3k0rs1oxtr7lzxrdw4mojq. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all APISIX deployments to identify affected versions (2.2-3.16.0) and confirm jwt-auth plugin status; enable detailed access logging on protected API endpoints to establish baseline and detect anomalies. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Apache Apisix
View allHMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hma
Authentication bypass in Apache APISIX's jwe-decrypt plugin (versions 3.8.0 through 3.16.0) allows unauthenticated netwo
Identity header spoofing in Apache APISIX versions 2.12.0 through 3.16.0 allows a low-privileged network attacker to man
Authentication bypass in Apache APISIX 3.0.0 through 3.16.0 allows a network-accessible attacker holding valid credentia
Incorrect authorization in the Apache APISIX authz-casdoor plugin allows a network-authenticated attacker to cross-authe
Identity header spoofing in Apache APISIX's openid-connect plugin (versions 2.3 through 3.16.0) enables low-privileged n
Identity header spoofing in the Apache APISIX OPA (Open Policy Agent) plugin allows low-privileged network attackers to
The wolf-rbac plugin in Apache APISIX 1.2.0 through 3.16.0 trusts client-controlled identity and IP data under its defau
Open redirect in Apache APISIX 3.0.0 through 3.16.0 enables unauthenticated remote attackers to manipulate specific HTTP
Open redirect in Apache APISIX's cas-auth plugin exposes users to phishing and credential theft when the plugin is used
The cas-auth plugin in Apache APISIX 3.0.0-3.16.0 enables identity substitution via CSRF under its default configuration
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38013
GHSA-pw26-hvcp-w6vj