securityonline.info 7/8/2026, 2:52:23 PM · external

APISIX JWT bug lets attackers bypass authentication, CVE-2026-39999

APISIX JWT bug lets attackers bypass authentication, CVE-2026-39999
CyberSIXT Evidence Panel
Primary Source seclists.org
CISA KEV Not in KEV
Patch Patch Status Unknown

THIS report discusses a critical vulnerability in Apache APISIX, identified as CVE-2026-39999, which enables authentication bypass due to a JWT algorithm confusion flaw. The CVSS score is high at 9.1, indicating significant risk. The vulnerability affects versions up to 3.16.0, allowing attackers to forge authentication tokens without credentials by exploiting the token header's control.

There are currently no confirmed exploitations, but the threat is serious as it can lead to broader system exposure if admin accounts are compromised. Recommended actions include upgrading to APISIX 3.16.1 or later, which includes a patch to mitigate the issue.

View Primary Source Via securityonline.info

Article by CyberSIXT