THIS report discusses a critical vulnerability in Apache APISIX, identified as CVE-2026-39999, which enables authentication bypass due to a JWT algorithm confusion flaw. The CVSS score is high at 9.1, indicating significant risk. The vulnerability affects versions up to 3.16.0, allowing attackers to forge authentication tokens without credentials by exploiting the token header's control.
There are currently no confirmed exploitations, but the threat is serious as it can lead to broader system exposure if admin accounts are compromised. Recommended actions include upgrading to APISIX 3.16.1 or later, which includes a patch to mitigate the issue.