Description
Authentication Bypass by Spoofing vulnerability in Apache APISIX.

The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin.
This issue affects Apache APISIX: from v2.2 through v3.16.0.

Users are recommended to upgrade to version v3.17.0, which fixes the issue.
Published: 2026-06-19
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a JWT algorithm confusion flaw that enables an attacker to bypass authentication entirely. By exploiting misconfigurations in the jwt‑auth plugin, a forged JSON Web Token can be accepted by the gateway, allowing the attacker to impersonate any client or service. This flaw effectively removes the integrity of the authentication mechanism and permits unauthorized access to protected endpoints and data. The weakness is classified as CWE‑290, Authentication Bypass by Spoofing.

Affected Systems

Apache APISIX product versions from v2.2 up to and including v3.16.0 are affected. The fix was incorporated in the v3.17.0 release; upgrading to this or a later version removes the flaw.

Risk and Exploitability

The CVSS score of 7 indicates high severity, and the EPSS score is not available, so the likelihood of exploitation is unknown. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker would need network access to the APISIX gateway and a user‑supplied JWT. By crafting a malicious token with a confusing algorithm, an attacker could bypass authentication, leading to unrestricted access. Because authentication is bypassed, the impact extends to all confidentiality, integrity, and availability aspects of the protected services.

Generated by OpenCVE AI on June 19, 2026 at 21:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache APISIX to version 3.17.0 or later, where the jwt‑auth plugin has been corrected.
  • If an immediate upgrade is not possible, reconfigure the jwt‑auth plugin to allow only secure algorithms such as RS256 and disable any conflicting algorithms that could lead to confusion.
  • Apply network segmentation or firewall rules to restrict external access to the APISIX gateway until the upgrade can be performed, thereby limiting the attack surface.

Generated by OpenCVE AI on June 19, 2026 at 21:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apache Apisix
Vendors & Products Apache
Apache apache Apisix

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which fixes the issue.
Title Apache APISIX: JWT Algorithm Confusion allows authentication bypass
Weaknesses CWE-290
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}


Subscriptions

Apache Apache Apisix
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-22T16:17:30.194Z

Reserved: 2026-04-08T02:56:44.658Z

Link: CVE-2026-39999

cve-icon Vulnrichment

Updated: 2026-06-22T16:17:24.557Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:45:04Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing