Description
Improper Validation of Integrity Check Value vulnerability in Apache APISIX.

The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass. 
This issue affects Apache APISIX: from 3.8.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Published: 2026-06-19
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache APISIX’s jwe-decrypt plugin fails to validate the integrity check value properly, allowing an attacker to craft a JWE that is accepted without proper authentication. This flaw effectively bypasses authentication, enabling the attacker to impersonate any user or call protected APIs without authorization, thereby compromising confidentiality and integrity of protected resources.

Affected Systems

Apache Software Foundation’s Apache APISIX product, versions 3.8.0 through 3.16.0, is affected. The vulnerability resides in the default configuration of the jwe-decrypt plugin.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity issue. EPSS information is not available, and the vulnerability is not listed in CISA KEV, suggesting no known wide‑scale exploitation yet. The likely attack vector is an adversary sending a malicious JWE payload through the APISIX gateway, exploiting the plugin’s weak integrity check to gain unauthorized access to protected services.

Generated by OpenCVE AI on June 19, 2026 at 20:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache APISIX to version 3.17.0 or later, which includes a fix for the jwe-decrypt integrity check bug.
  • If an upgrade is not immediately possible, restrict incoming JWE tokens to only those signed with a trusted key and reject any unverified tokens.
  • Configure and monitor APISIX to log all authentication failures and anomalous JWE payloads, enabling early detection of attempts to exploit the bypass.

Generated by OpenCVE AI on June 19, 2026 at 20:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass.  This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Title Apache APISIX: Authentication bypass in jwe-decrypt
Weaknesses CWE-354
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-19T16:49:55.183Z

Reserved: 2026-05-28T06:01:53.913Z

Link: CVE-2026-49230

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:15:02Z

Weaknesses
  • CWE-354

    Improper Validation of Integrity Check Value