CVE-2026-47341 Apache Software Foundation CVE debrief

Who should care

Defenders of Apache APISIX instances, particularly those using versions between 3.11.0 and 3.16.0, should be aware of this vulnerability. Upgrading to version 3.17.0 is recommended to mitigate the risk. This vulnerability could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized access.

Technical summary

The vulnerability is caused by a Capture-replay attack in the hmac-auth configuration of Apache APISIX. This allows an attacker to capture and replay authentication tokens, effectively bypassing the expiry mechanism. The affected versions are from 3.11.0 to 3.16.0. The fix is included in version 3.17.0. The CVSS:4.0 vector is AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Medium priority due to potential for authentication bypass and unauthorized access.

Recommended defensive actions

• Upgrade Apache APISIX to version 3.17.0 or later
• Review current configurations of hmac-auth in Apache APISIX
• Monitor for suspicious authentication attempts
• Inventory APISIX instances for version compliance
• Apply compensating controls if immediate upgrade is not feasible

Evidence notes

The primary evidence for this vulnerability comes from the CVE record and the NVD detail page. The vulnerability affects Apache APISIX versions from 3.11.0 through 3.16.0. Defenders should verify their current version of Apache APISIX and compare it with the affected versions. The official CVE record and NVD detail provide the most accurate and up-to-date information.

Official resources