CVE-2026-39999
published 2026-06-19CVE-2026-39999: Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of…
PriorityP265critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.39%
30.5th percentile
Authentication Bypass by Spoofing vulnerability in Apache APISIX.
The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin.
This issue affects Apache APISIX: from v2.2 through v3.16.0.
Users are recommended to upgrade to version v3.17.0, which fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | apisix | >= 2.2 < 3.17.0 | 3.17.0 |
| apache_software_foundation | apache_apisix | 2.2 – 3.16.0 | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.07.0HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Authentication Bypass by Spoofing vulnerability in Apache APISIX.
ghsa_unreviewed·2026-06-19
CVE-2026-39999 [HIGH] CWE-290 Authentication Bypass by Spoofing vulnerability in Apache APISIX.
Authentication Bypass by Spoofing vulnerability in Apache APISIX.
The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin.
This issue affects Apache APISIX: from v2.2 through v3.16.0.
Users are recommended to upgrade to version v3.17.0, which fixes the issue.
VulDB
Apache APISIX up to 3.16.0 authentication spoofing (EUVD-2026-38013)
vuldb·2026-06-19
CVE-2026-39999 [CRITICAL] Apache APISIX up to 3.16.0 authentication spoofing (EUVD-2026-38013)
A vulnerability categorized as critical has been discovered in Apache APISIX up to 3.16.0. Impacted is an unknown function. The manipulation results in authentication bypass by spoofing.
This vulnerability is identified as CVE-2026-39999. The attack can be executed remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-19
Published