Impact
The vulnerability is a JWT algorithm confusion flaw that enables an attacker to bypass authentication entirely. By exploiting misconfigurations in the jwt‑auth plugin, a forged JSON Web Token can be accepted by the gateway, allowing the attacker to impersonate any client or service. This flaw effectively removes the integrity of the authentication mechanism and permits unauthorized access to protected endpoints and data. The weakness is classified as CWE‑290, Authentication Bypass by Spoofing.
Affected Systems
Apache APISIX product versions from v2.2 up to and including v3.16.0 are affected. The fix was incorporated in the v3.17.0 release; upgrading to this or a later version removes the flaw.
Risk and Exploitability
The CVSS score of 7 indicates high severity, and the EPSS score is not available, so the likelihood of exploitation is unknown. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker would need network access to the APISIX gateway and a user‑supplied JWT. By crafting a malicious token with a confusing algorithm, an attacker could bypass authentication, leading to unrestricted access. Because authentication is bypassed, the impact extends to all confidentiality, integrity, and availability aspects of the protected services.
OpenCVE Enrichment