Skip to main content

Apache APISIX EUVDEUVD-2026-38024

| CVE-2026-47341 MEDIUM
Authentication Bypass by Capture-replay (CWE-294)
2026-06-19 apache GHSA-9hp8-p9xx-frx5
6.3
CVSS 4.0 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

AT:P configuration prerequisite maps to AC:H in 3.1; scope change reflects gateway authenticating on behalf of downstream backend services.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 14:25 vuln.today
CVE Published
Jun 19, 2026 - 13:17 cve.org
MEDIUM 6.3

DescriptionCVE.org

Authentication Bypass by Capture-replay vulnerability in Apache APISIX.

Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.

AnalysisAI

HMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hmac-auth signed token to reuse that token indefinitely, entirely bypassing expiry enforcement under certain plugin configurations. The CVSS 4.0 vector (6.3, AT:P) confirms exploitation depends on a specific hmac-auth configuration condition, limiting blanket exposure but posing significant risk to affected deployments where tokens can be intercepted. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify APISIX deployment using hmac-auth plugin
Delivery
Intercept or obtain valid signed API request token
Exploit
Confirm target uses expiry-bypass configuration
Execution
Replay captured token after expiry
Persist
APISIX gateway accepts token without expiry validation
Impact
Access backend APIs as impersonated consumer

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Apache APISIX deployment (versions 3.11.0-3.16.0) actively uses the hmac-auth plugin configured in a manner that does not enforce token expiry - the description explicitly states 'certain configurations in hmac-auth' as the enabling condition, and the CVSS 4.0 AT:P metric confirms a configuration prerequisite must be present. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.0 score is 6.3 with vector AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on a network path capable of intercepting API traffic - or with access to application logs or proxy records containing signed hmac-auth requests - captures a valid signed token from a legitimate consumer. Because certain hmac-auth configurations fail to enforce token expiry, the attacker replays the captured request to the APISIX gateway after its intended validity window, and the gateway accepts and forwards the request to the backend service. …
Remediation Vendor-released patch: Apache APISIX 3.17.0, which is the confirmed fix per the Apache security advisory at https://lists.apache.org/thread/ob6ng9x2hxtyfojs839hs1n0v18xxzf2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-39999 HIGH
7.0 Jun 19

Authentication bypass in Apache APISIX versions 2.2 through 3.16.0 allows remote attackers to circumvent authentication

CVE-2026-49230 MEDIUM
6.3 Jun 19

Authentication bypass in Apache APISIX's jwe-decrypt plugin (versions 3.8.0 through 3.16.0) allows unauthenticated netwo

CVE-2026-39998 MEDIUM
5.8 Jun 19

Identity header spoofing in Apache APISIX versions 2.12.0 through 3.16.0 allows a low-privileged network attacker to man

CVE-2026-49872 MEDIUM
5.3 Jun 19

Authentication bypass in Apache APISIX 3.0.0 through 3.16.0 allows a network-accessible attacker holding valid credentia

CVE-2026-47339 MEDIUM
5.3 Jun 19

Incorrect authorization in the Apache APISIX authz-casdoor plugin allows a network-authenticated attacker to cross-authe

CVE-2026-44087 MEDIUM
5.3 Jun 19

Identity header spoofing in Apache APISIX's openid-connect plugin (versions 2.3 through 3.16.0) enables low-privileged n

CVE-2026-49231 LOW
2.3 Jun 19

Identity header spoofing in the Apache APISIX OPA (Open Policy Agent) plugin allows low-privileged network attackers to

CVE-2026-44046 LOW
2.3 Jun 19

The wolf-rbac plugin in Apache APISIX 1.2.0 through 3.16.0 trusts client-controlled identity and IP data under its defau

CVE-2026-48895 LOW
2.1 Jun 19

Open redirect in Apache APISIX 3.0.0 through 3.16.0 enables unauthenticated remote attackers to manipulate specific HTTP

CVE-2026-44915 LOW
2.1 Jun 19

Open redirect in Apache APISIX's cas-auth plugin exposes users to phishing and credential theft when the plugin is used

CVE-2026-49871 LOW
2.1 Jun 19

The cas-auth plugin in Apache APISIX 3.0.0-3.16.0 enables identity substitution via CSRF under its default configuration

Share

EUVD-2026-38024 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy