Skip to content
CVSS 9.1 · CRITICAL

CVE-2026-49230

Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass.  This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

View on NVD

Analysis

Apache APISIX versions 3.8.0 through 3.16.0 are vulnerable to a critical authentication bypass when using the jwe-decrypt plugin in its default configuration. Attackers can bypass integrity checks to gain unauthorized access to backend services; users should upgrade to version 3.17.0 immediately.

Relevant roles

BackendCloudCyberSecurityKubernetesDocker

Severity

Score: 9.1(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: NONE
Weakness (CWE): CWE-354

EPSS

Probability of exploitation (next 30 days): 0.0023 (0.2%)
Percentile: 13.6%
EPSS: 2026-06-23

Affects

apache:apisix

Technical description

Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass.  This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Published: 6/19/2026, 2:16:23 PM
Last modified: 6/23/2026, 3:17:42 PM

References

HomeEventsBlogResourcesTeam