Skip to content
CVSS 9.1 · CRITICAL

CVE-2026-49230

Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass.  This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Ver en NVD

Análisis

Apache APISIX versions 3.8.0 through 3.16.0 are vulnerable to a critical authentication bypass when using the jwe-decrypt plugin in its default configuration. Attackers can bypass integrity checks to gain unauthorized access to backend services; users should upgrade to version 3.17.0 immediately.

Roles relevantes

BackendCloudCyberSecurityKubernetesDocker

Severidad

Puntaje: 9.1(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: NONE
Tipo de falla (CWE): CWE-354

EPSS

Probabilidad de explotación (próx. 30 días): 0.0023 (0.2%)
Percentil: 13.6%
EPSS: 2026-06-23

Afecta

apache:apisix

Descripción técnica

Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass.  This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Publicada: 19/6/2026, 14:16:23
Última modificación: 23/6/2026, 15:17:42

Referencias

InicioEventosBlogRecursosEquipo