- CVE: CVE-2026-39999
- CVSS: 9.1 (High · CVSSv3)
- Product: Apache Software Foundation Apache APISIX
- Affected: 2.2
- Impact: Apache APISIX: JWT Algorithm Confusion allows authentication bypass
- Status: No confirmed exploitation yet
- EPSS: 0.4% (30-day)
- Action: See vendor advisory
TL;DR
Apache APISIX 3.16.0 shipped a JWT algorithm confusion bug in its jwt-auth plugin. The flaw, tracked as CVE-2026-39999, lets an unauthenticated attacker forge tokens and bypass authentication. Apache fixed it in APISIX 3.16.1.
Why it matters
APISIX is a widely used API gateway. So an APISIX authentication bypass can expose every service behind it. The flaw scores CVSS 9.1, critical. An attacker needs no credentials, only the consumer’s public key, which is public by design.
The damage can also cascade. If the impersonated user holds admin scope, the attacker may reach the APISIX admin API too. That outcome depends on network rules and admin access settings.
How the attack works
The issue is a classic JWT algorithm confusion. APISIX picks the verification key from the consumer’s configured algorithm. However, it picks the verification function from the token header’s alg field. That header is attacker-controlled.
Consider a consumer set to RS256. In that case, APISIX hands the public key to the verifier. An attacker then sets the header to HS256 and signs the token with that public key as the HMAC secret. As a result, the check passes, and the attacker authenticates as any user. Researchers demonstrated the bypass, yet no in-the-wild abuse is confirmed.
Affected versions
Apache lists releases up to 3.16.0 as affected. The asymmetric-key path arrived through a new parser module in 3.16.0, which widened the exposure. Only consumers configured for RS256, ES256, or PS256 face the risk.
This was not an operator mistake. RS256 sat in the schema, the docs, and the tests, so vulnerable setups followed supported guidance. Admins also had no option to pin the allowed verification algorithm.
Patch and mitigation
Upgrade to APISIX 3.16.1 or later, since the fix enforces the configured algorithm. The patch adds a cross-check that compares the token’s alg to the consumer’s setting and rejects any mismatch. The newer 3.17.0 release also bundles other security fixes. Until you patch, restrict JWT-protected routes to trusted networks.
Also audit logs for tokens that use HS256 against an RS256 consumer, because that mismatch signals an attempt. A researcher re-reported the same flaw on the oss-security mailing list in late June, so expect renewed scanning. This APISIX authentication bypass has a clean fix, so patching is the priority.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.