CVE-2026-39999
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk33th percentile — higher than 33% of all known CVEs
Summary
Authentication Bypass by Spoofing vulnerability in Apache APISIX allows an attacker to completely bypass the authentication process by capitalizing on certain configurations of the jwt-auth plugin. This issue affects Apache APISIX from v2.2 through v3.16.0.
Risk Assessment
The organization is at risk of unauthorized access to the system, which could lead to serious data security breaches.
Recommendation
Users are recommended to upgrade to version v3.17.0, which fixes the issue.
Original NVD description (English source)
Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which fixes the issue.

