CVE-2026-49230
published 2026-06-19CVE-2026-49230: Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication…
PriorityP261critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.22%
12.9th percentile
Improper Validation of Integrity Check Value vulnerability in Apache APISIX.
The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass.
This issue affects Apache APISIX: from 3.8.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | apisix | >= 3.8.0 < 3.17.0 | 3.17.0 |
| apache_software_foundation | apache_apisix | 3.8.0 – 3.16.0 | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Apache APISIX up to 3.16.0 integrity check (EUVD-2026-38019)
vuldb·2026-06-19
CVE-2026-49230 [CRITICAL] Apache APISIX up to 3.16.0 integrity check (EUVD-2026-38019)
A vulnerability classified as critical has been found in Apache APISIX up to 3.16.0. Affected is an unknown function. The manipulation leads to improper validation of integrity check value.
This vulnerability is documented as CVE-2026-49230. The attack can be initiated remotely. There is not any exploit available.
It is recommended to upgrade the affected component.
GHSA
Improper Validation of Integrity Check Value vulnerability in Apache APISIX.
ghsa_unreviewed·2026-06-19
CVE-2026-49230 [MEDIUM] CWE-354 Improper Validation of Integrity Check Value vulnerability in Apache APISIX.
Improper Validation of Integrity Check Value vulnerability in Apache APISIX.
The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass.
This issue affects Apache APISIX: from 3.8.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-19
Published