CVE-2026-47341

MEDIUM EPSS 34.5%

Published Jun 19, 20261w ago · Modified Jun 23, 20266d ago

6.3 CVSS 4.0

Medium

Published Jun 19, 2026 1w ago

Last Modified Jun 23, 2026 6d ago

Description

Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

CVSS Details

Base Score

6.3

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

34.5% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-294

Affected Products 1

Vendor	Product	Version	Range
apache	apisix	*	≥3.11.0 – <3.17.0

References 2

openwall.com http://www.openwall.com/lists/oss-security/2026/06/19/10

Third Party Advisory
lists.apache.org https://lists.apache.org/thread/ob6ng9x2hxtyfojs839hs1n0v18xxzf2

Vendor AdvisoryMailing List

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.