PT-2026-50895 · Apache · Apache Apisix

Lokerxxx

Published

2026-06-19

Updated

2026-06-19

CVE-2026-49230

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Improper Validation of Integrity Check Value vulnerability in Apache APISIX.

The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass. This issue affects Apache APISIX: from 3.8.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-354

Related Identifiers

CVE-2026-49230

Affected Products

Apache Apisix

PT-2026-50895 · Apache · Apache Apisix

CVE-2026-49230

Weakness Enumeration

Related Identifiers

Affected Products

References · 2