CVE Catalog

CVE-2026-47341

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.41%

33th percentile — higher than 33% of all known CVEs

Summary

There is an authentication bypass vulnerability in Apache APISIX due to a capture-replay attack. An attacker can exploit certain configurations in hmac-auth to reuse a token indefinitely, bypassing its expiry.

Risk Assessment

Organizations may be exposed to unauthorized access to systems, potentially leading to serious data security breaches.

Recommendation

It is recommended to upgrade to version 3.17.0, which fixes the issue.

Original NVD description (English source)

Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS