Skip to main content

Apache APISIX CVE-2026-47339

| EUVDEUVD-2026-38015 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-19 apache GHSA-2455-m68h-qwxv
5.3
CVSS 4.0 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.6 CRITICAL

Network-reachable via default plugin config; low privileges (credentials required); scope changes to high-value backend APIs with full C/I impact but no availability impact described.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 14:22 vuln.today
CVE Published
Jun 19, 2026 - 13:10 cve.org
MEDIUM 5.3

DescriptionCVE.org

Incorrect Authorization vulnerability in Apache APISIX.

An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source. This issue affects Apache APISIX: from 2.14.1 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.

AnalysisAI

Incorrect authorization in the Apache APISIX authz-casdoor plugin allows a network-authenticated attacker to cross-authenticate using credentials from a different identity source, effectively bypassing the intended authorization boundary. Affected versions span 2.14.1 through 3.16.0, covering a wide deployment surface for this popular open-source API gateway. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain credentials from alternate identity source
Delivery
Send authentication request to APISIX route protected by authz-casdoor plugin
Exploit
Plugin fails to verify credential source matches configured provider
Execution
Authorization granted despite mismatched identity origin
Persist
Access upstream APIs as unauthorized principal
Impact
Exfiltrate data or perform unauthorized write operations on backend services

Vulnerability AssessmentAI

Exploitation The authz-casdoor plugin must be actively configured and enabled on one or more APISIX routes - deployments that do not use this plugin are entirely unaffected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (Medium) reflects a nuanced threat model: AV:N and AC:L signal that the attack is network-reachable with low complexity once preconditions are met, but AT:P acknowledges that the authz-casdoor plugin must be actively deployed, and PR:L confirms some credential material is required from the attacker. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who possesses valid credentials from a different identity provider or Casdoor tenant - not the one configured to protect the target API route - sends a crafted authentication request to an APISIX route secured by the authz-casdoor plugin. Because the plugin under default configuration does not enforce that the credential source matches the configured authorization policy, APISIX grants access to the upstream API as if the attacker were a legitimate user. …
Remediation The primary and strongly recommended fix is to upgrade Apache APISIX to version 3.17.0, which the Apache Software Foundation has confirmed resolves the incorrect authorization logic in the authz-casdoor plugin. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-39999 HIGH
7.0 Jun 19

Authentication bypass in Apache APISIX versions 2.2 through 3.16.0 allows remote attackers to circumvent authentication

CVE-2026-47341 MEDIUM
6.3 Jun 19

HMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hma

CVE-2026-49230 MEDIUM
6.3 Jun 19

Authentication bypass in Apache APISIX's jwe-decrypt plugin (versions 3.8.0 through 3.16.0) allows unauthenticated netwo

CVE-2026-39998 MEDIUM
5.8 Jun 19

Identity header spoofing in Apache APISIX versions 2.12.0 through 3.16.0 allows a low-privileged network attacker to man

CVE-2026-49872 MEDIUM
5.3 Jun 19

Authentication bypass in Apache APISIX 3.0.0 through 3.16.0 allows a network-accessible attacker holding valid credentia

CVE-2026-44087 MEDIUM
5.3 Jun 19

Identity header spoofing in Apache APISIX's openid-connect plugin (versions 2.3 through 3.16.0) enables low-privileged n

CVE-2026-49231 LOW
2.3 Jun 19

Identity header spoofing in the Apache APISIX OPA (Open Policy Agent) plugin allows low-privileged network attackers to

CVE-2026-44046 LOW
2.3 Jun 19

The wolf-rbac plugin in Apache APISIX 1.2.0 through 3.16.0 trusts client-controlled identity and IP data under its defau

CVE-2026-48895 LOW
2.1 Jun 19

Open redirect in Apache APISIX 3.0.0 through 3.16.0 enables unauthenticated remote attackers to manipulate specific HTTP

CVE-2026-44915 LOW
2.1 Jun 19

Open redirect in Apache APISIX's cas-auth plugin exposes users to phishing and credential theft when the plugin is used

CVE-2026-49871 LOW
2.1 Jun 19

The cas-auth plugin in Apache APISIX 3.0.0-3.16.0 enables identity substitution via CSRF under its default configuration

Share

CVE-2026-47339 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy