Description
Authentication Bypass by Capture-replay vulnerability in Apache APISIX.

Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry.
This issue affects Apache APISIX: from 3.11.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Published: 2026-06-19
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache APISIX's hmac-auth module can be exploited to replay captured authentication tokens, allowing an attacker to circumvent token expiry and regain access indefinitely. This flaw effectively bypasses the intended authentication controls, leading to unauthorized access. The weakness stems from improper handling of cryptographic tokens, identified as CWE-294.

Affected Systems

Minimum impacted product is Apache APISIX provided by the Apache Software Foundation, with vulnerable versions ranging from 3.11.0 through 3.16.0. All installations using hmac-auth in these versions are susceptible until upgraded to the fixed release 3.17.0.

Risk and Exploitability

The CVSS v3.1 score is 6.3, indicating moderate severity. EPSS is currently unavailable, so exploitation likelihood is uncertain, but the vulnerability is publicly documented and not yet listed in CISA's KEV catalog. Attackers would need access to a valid token, possibly gained through network sniffing or a compromised client, to replay it; this indicates a more targeted attack scenario rather than a mass exploit. While the risk is moderate, the impact of successful token replay could be significant for systems relying on APISIX for API gateway protection.

Generated by OpenCVE AI on June 19, 2026 at 20:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply upgrade to Apache APISIX v3.17.0 or later.
  • Configure shorter token lifetimes and enforce expiry on hmac-auth tokens to prevent indefinite replay.
  • Monitor authentication logs for repeated token usage or unauthorized access attempts.

Generated by OpenCVE AI on June 19, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Title Apache APISIX: Session replay issue in hmac-auth
Weaknesses CWE-294
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-19T16:49:52.832Z

Reserved: 2026-05-19T11:48:39.289Z

Link: CVE-2026-47341

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:15:02Z

Weaknesses
  • CWE-294

    Authentication Bypass by Capture-replay