PT-2025-27623 · Apache · Apache Apisix
Tiernan Messmer
·
Published
2025-07-02
·
Updated
2025-07-07
·
CVE-2025-46647
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Apache APISIX versions prior to 3.12.0
Description:
A vulnerability in the openid-connect plugin of Apache APISIX allows an attacker with a valid account on one issuer to log into another issuer, given certain conditions. These conditions include using the openid-connect plugin with introspection mode, the auth service being connected to multiple issuers, and these issuers sharing the same private key while relying solely on different issuers.
Recommendations:
For versions prior to 3.12.0, upgrade to version 3.12.0 or higher. As a temporary workaround, consider restricting the use of the openid-connect plugin with introspection mode until the upgrade is applied.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Apisix