CVE-2026-47341
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk33th percentile — higher than 33% of all known CVEs
Summary
There is an authentication bypass vulnerability in Apache APISIX due to a capture-replay attack. An attacker can exploit certain configurations in hmac-auth to reuse a token indefinitely, bypassing its expiry.
Risk Assessment
Organizations may be exposed to unauthorized access to systems, potentially leading to serious data security breaches.
Recommendation
It is recommended to upgrade to version 3.17.0, which fixes the issue.
Original NVD description (English source)
Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

