CVE-2026-39999

UNKNOWN 0.0

Apache APISIX: JWT Algorithm Confusion allows authentication bypass

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which fixes the issue.

CWE	CWE-290
Vendor	apache software foundation
Product	apache apisix
Published	Jun 19, 2026
Last Updated	Jun 19, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache apisix

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache apisix are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache APISIX

2.2 ≤ 3.16.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/nfopt8cnxd3k0rs1oxtr7lzxrdw4mojq openwall.com: http://www.openwall.com/lists/oss-security/2026/06/19/5

Credits

🔍 Marco Capuano