Vulnerability Details CVE-2026-47341
Authentication Bypass by Capture-replay vulnerability in Apache APISIX.
Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry.
This issue affects Apache APISIX: from 3.11.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 32.7%
CVSS Severity
CVSS v3 Score 6.5
References
Products affected by CVE-2026-47341
-
cpe:2.3:a:apache:apisix:3.11.0
-
cpe:2.3:a:apache:apisix:3.12.0
-
cpe:2.3:a:apache:apisix:3.13.0
-
cpe:2.3:a:apache:apisix:3.14.0
-
cpe:2.3:a:apache:apisix:3.14.1
-
cpe:2.3:a:apache:apisix:3.15.0
-
cpe:2.3:a:apache:apisix:3.16.0