CVE Catalog

CVE-2026-39999

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.41%

33th percentile — higher than 33% of all known CVEs

Summary

Authentication Bypass by Spoofing vulnerability in Apache APISIX allows an attacker to completely bypass the authentication process by capitalizing on certain configurations of the jwt-auth plugin. This issue affects Apache APISIX from v2.2 through v3.16.0.

Risk Assessment

The organization is at risk of unauthorized access to the system, which could lead to serious data security breaches.

Recommendation

Users are recommended to upgrade to version v3.17.0, which fixes the issue.

Original NVD description (English source)

Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS