VYPR
advisoryPublished Jun 19, 2026· Updated Jun 20, 2026· 1 source

Apache APISIX: 12 CVEs Disclosed Across Nine Auth Plugins, All Fixed in 3.17.0

Key findings • 12 CVEs disclosed together, all fixed in Apache APISIX 3.17.0 • Five authentication bypass/spoofing flaws across jwt-auth, hmac-auth, jwe-decrypt, opa, and authz-casdoor • …

Key findings

  • 12 CVEs disclosed together, all fixed in Apache APISIX 3.17.0
  • Five authentication bypass/spoofing flaws across jwt-auth, hmac-auth, jwe-decrypt, opa, and authz-casdoor
  • Four CVEs target the cas-auth plugin alone, including CSRF and two open redirects
  • Identity header spoofing affects openid-connect, wolf-rbac, and forward-auth plugins
  • No in-the-wild exploitation reported, but many flaws exist under default configurations
  • Affected versions span from 1.2.0 to 3.16.0; upgrade to 3.17.0 is the only mitigation

On June 19, 2026, the Apache APISIX project disclosed a batch of 12 security vulnerabilities spanning versions 1.2.0 through 3.16.0, all addressed in the newly released version 3.17.0. The cluster is dominated by authentication and identity-spoofing flaws across a wide range of authentication plugins — cas-auth, hmac-auth, jwt-auth, openid-connect, opa, wolf-rbac, forward-auth, authz-casdoor, and jwe-decrypt — making this one of the most comprehensive authentication-related security updates in the API gateway's history.

Authentication bypass and spoofing in core auth plugins

Five of the twelve CVEs involve authentication bypass or spoofing. CVE-2026-39999 describes a JWT algorithm confusion vulnerability in the jwt-auth plugin that lets an attacker completely bypass authentication under certain configurations. CVE-2026-47341 is a session replay flaw in hmac-auth that allows an attacker to reuse a token indefinitely, bypassing expiry. CVE-2026-49230 affects the jwe-decrypt plugin, where a missing integrity check under the default configuration enables authentication bypass. CVE-2026-49231 targets the opa plugin, allowing an attacker to relay spoofed identity headers to upstream services and assume higher privileges. CVE-2026-47339 in the authz-casdoor plugin lets an attacker authenticate with credentials from a different source.

Identity header spoofing across multiple plugins

A recurring theme is the ability to inject or spoof identity headers that upstream services trust. CVE-2026-44087 in the openid-connect plugin allows an attacker to spoof identity headers under the default configuration, gaining unauthorized access to protected resources. CVE-2026-44046 in the wolf-rbac plugin lets an attacker pollute logs with spoofed identity information and exploit IP-based access control rules. CVE-2026-39998 in the forward-auth plugin enables identity header injection due to missing header cleanup. All three stem from insufficient verification of data authenticity or use of less trusted sources.

cas-auth plugin: a concentrated attack surface

The cas-auth plugin alone accounts for four CVEs, making it the most affected component in this batch. CVE-2026-49872 is an improper authentication flaw that lets an attacker authenticate with credentials from a different source. CVE-2026-49871 is a CSRF vulnerability that, under default configurations, can cause a victim's browser to become authenticated as a different identity. CVE-2026-48895 and CVE-2026-44915 are both open-redirect issues — the first via Host header manipulation to potentially expose session tokens, the second via an unsanitized cookie value that enables phishing and credential theft.

Impact and exploitation context

No in-the-wild exploitation has been publicly reported for any of these CVEs as of the disclosure date. However, the breadth of affected plugins and the fact that many flaws exist under default configurations significantly lowers the barrier to exploitation. Attackers who can reach an APISIX data plane endpoint could chain these vulnerabilities to bypass authentication, steal session tokens, or escalate privileges on upstream services. The open-redirect flaws in cas-auth (CVE-2026-48895 and CVE-2026-44915) are particularly concerning for phishing campaigns targeting APISIX administrators.

Patch and mitigation

All 12 CVEs are fixed in Apache APISIX version 3.17.0. Users running any version from 1.2.0 through 3.16.0 are advised to upgrade immediately. The affected version ranges vary per CVE — for example, CVE-2026-44046 (wolf-rbac) affects versions as early as 1.2.0, while CVE-2026-47341 (hmac-auth) only affects 3.11.0 through 3.16.0. No workarounds or configuration-level mitigations have been published by the project; the only recommended action is upgrading to 3.17.0.

Broader context

This batch underscores a systemic issue in APISIX's authentication plugin architecture: many plugins trust client-supplied headers or tokens without sufficient validation, and default configurations often enable the most vulnerable code paths. The concentration of flaws in the cas-auth plugin — four CVEs in a single component — suggests that plugin underwent a particularly thorough security review. For organizations running APISIX as an API gateway, this update is critical: authentication bypass in a gateway effectively nullifies the security of every upstream service behind it.

Synthesized by Vypr AI