CVE-2026-39999— Apache APISIX: JWT Algorithm Confusion allows authentication bypass
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache APISIX | 2.2≤ 3.16.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-39999
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache APISIX: JWT Algorithm Confusion allows authentication bypass
Source: NVD (National Vulnerability Database)
Vulnerability Description
Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用欺骗进行的认证绕过
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache APISIX | 2.2 ~ 3.16.0 | - |
II. Public POCs for CVE-2026-39999
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-39999
请登录查看更多情报信息。
Mailing List Discussions for CVE-2026-39999 (1)
Same Patch Batch · Apache Software Foundation · 2026-06-19 · 12 CVEs total
| CVE-2026-49872 | Apache APISIX: Improper authentication in cas-auth plugin | |
| CVE-2026-49871 | Apache APISIX: cas-auth login CSRF / session injection issue | |
| CVE-2026-47341 | Apache APISIX: Session replay issue in hmac-auth | |
| CVE-2026-48895 | Apache APISIX: Cas-auth Host header influence on CAS service URL | |
| CVE-2026-49231 | Apache APISIX: Identity spoofing issue in APISIX opa plugin | |
| CVE-2026-49230 | Apache APISIX: Authentication bypass in jwe-decrypt | |
| CVE-2026-44915 | Apache APISIX: Cas-auth plugin open redirect via unsanitized cookie value | |
| CVE-2026-44087 | Apache APISIX: Openid-connect plugin Identity Header Spoofing | |
| CVE-2026-47339 | Apache APISIX: authz-casdoor incorrect session sharing | |
| CVE-2026-44046 | Apache APISIX: wolf-rbac plugin Identity Spoofing | |
| CVE-2026-39998 | Apache APISIX: Identity Injection via forward-auth Plugin Missing Header Cleanup |
IV. Related Vulnerabilities
Same product: Apache APISIX
- CVE-2026-49872
Apache APISIX: Improper authentication in cas-auth plugin - CVE-2026-49871
Apache APISIX: cas-auth login CSRF / session injection issue - CVE-2026-47341
Apache APISIX: Session replay issue in hmac-auth - CVE-2026-48895
Apache APISIX: Cas-auth Host header influence on CAS service - CVE-2026-49231
Apache APISIX: Identity spoofing issue in APISIX opa plugin
Same vendor: Apache Software Foundation
- CVE-2026-49872
Apache APISIX: Improper authentication in cas-auth plugin - CVE-2026-49871
Apache APISIX: cas-auth login CSRF / session injection issue - CVE-2026-47341
Apache APISIX: Session replay issue in hmac-auth - CVE-2026-48895
Apache APISIX: Cas-auth Host header influence on CAS service - CVE-2026-49231
Apache APISIX: Identity spoofing issue in APISIX opa plugin
Same weakness: CWE-290
- CVE-2026-49231
Apache APISIX: Identity spoofing issue in APISIX opa plugin - CVE-2026-56020
Webmin HTTP header authentication bypass - CVE-2026-50141
Woodpecker gRPC agent_id metadata can be spoofed- cross-tena - CVE-2026-55202
Tinyproxy - Stathost Detection Bypass via Host Header Manipu - CVE-2026-53857
OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo a
V. Comments for CVE-2026-39999
No comments yet