CVE-2025-46647

CWE-3023 documents3 sources
Severity
5.3MEDIUM
EPSS
0.1%
top 71.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache ApisixApache Apisix
Timeline
PublishedJul 2

Description

A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multiple issuers 3. Multiple issuers share the same private key and relies only on the issuer being different If affected by this vulnerability, it would allow an attacker with a valid account on one of the issuers to log int

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages2 packages

NVDapache/apisix< 3.12.0

🔴Vulnerability Details

2
GHSA
GHSA-495r-5j65-5hp3: A vulnerability of plugin openid-connect in Apache APISIX2025-07-02
CVEList
Apache APISIX: improper validation of issuer from introspection discovery url in plugin openid-connect2025-07-02
CVE-2025-46647 (MEDIUM CVSS 5.3) | A vulnerability of plugin openid-co | cvebase.io