CVE-2026-49230
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
The vulnerability related to improper validation of integrity check value in Apache APISIX allows authentication bypass in the jwe-decrypt plugin under default configuration. This issue affects versions from 3.8.0 to 3.16.0.
Risk Assessment
Organizations may be exposed to unauthorized access to systems, potentially leading to serious security breaches.
Recommendation
It is recommended to upgrade to version 3.17.0, which fixes the issue.
Original NVD description (English source)
Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass. This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

