CVE Catalog

CVE-2026-49230

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile — higher than 14% of all known CVEs

Summary

The vulnerability related to improper validation of integrity check value in Apache APISIX allows authentication bypass in the jwe-decrypt plugin under default configuration. This issue affects versions from 3.8.0 to 3.16.0.

Risk Assessment

Organizations may be exposed to unauthorized access to systems, potentially leading to serious security breaches.

Recommendation

It is recommended to upgrade to version 3.17.0, which fixes the issue.

Original NVD description (English source)

Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass.  This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS