Description
Authentication Bypass by Capture-replay vulnerability in Apache APISIX.

Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry.
This issue affects Apache APISIX: from 3.11.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Published: 2026-06-19
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache APISIX's hmac-auth module can be exploited to replay captured authentication tokens, allowing an attacker to circumvent token expiry and regain access indefinitely. This flaw effectively bypasses the intended authentication controls, leading to unauthorized access. The weakness stems from improper handling of cryptographic tokens, identified as CWE-294.

Affected Systems

Minimum impacted product is Apache APISIX provided by the Apache Software Foundation, with vulnerable versions ranging from 3.11.0 through 3.16.0. All installations using hmac-auth in these versions are susceptible until upgraded to the fixed release 3.17.0.

Risk and Exploitability

The CVSS v3.1 score is 6.3, indicating moderate severity. EPSS is currently unavailable, so exploitation likelihood is uncertain, but the vulnerability is publicly documented and not yet listed in CISA's KEV catalog. Attackers would need access to a valid token, possibly gained through network sniffing or a compromised client, to replay it; this indicates a more targeted attack scenario rather than a mass exploit. While the risk is moderate, the impact of successful token replay could be significant for systems relying on APISIX for API gateway protection.

Generated by OpenCVE AI on June 19, 2026 at 21:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply upgrade to Apache APISIX v3.17.0 or later.
  • Configure shorter token lifetimes and enforce expiry on hmac-auth tokens to prevent indefinite replay.
  • Monitor authentication logs for repeated token usage or unauthorized access attempts.

Generated by OpenCVE AI on June 19, 2026 at 21:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apisix
Vendors & Products Apache
Apache apisix

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Title Apache APISIX: Session replay issue in hmac-auth
Weaknesses CWE-294
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-22T16:21:09.414Z

Reserved: 2026-05-19T11:48:39.289Z

Link: CVE-2026-47341

cve-icon Vulnrichment

Updated: 2026-06-19T16:49:52.832Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:51Z

Weaknesses
  • CWE-294

    Authentication Bypass by Capture-replay