CVE-2026-39999

HIGH EPSS 30.5%

Published Jun 19, 20261w ago · Modified Jun 23, 20266d ago

7.0 CVSS 4.0

High

Published Jun 19, 2026 1w ago

Last Modified Jun 23, 2026 6d ago

Description

Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which fixes the issue.

CVSS Details

Base Score

7.0

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

30.5% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-290

Affected Products 1

Vendor	Product	Version	Range
apache	apisix	*	≥2.2 – <3.17.0

References 2

openwall.com http://www.openwall.com/lists/oss-security/2026/06/19/5

Third Party Advisory
lists.apache.org https://lists.apache.org/thread/nfopt8cnxd3k0rs1oxtr7lzxrdw4mojq

Vendor AdvisoryMailing List

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.