APISIX authz-casdoor Plugin AuthZ Flaw (V2.14.1-3.16.0) CVE-2026-47339
CVE-2026-47339 Published on June 19, 2026

Apache APISIX: authz-casdoor incorrect session sharing
Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source. This issue affects Apache APISIX: from 2.14.1 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Vendor Advisory NVD

Weakness Type

What is an AuthZ Vulnerability?

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVE-2026-47339 has been classified to as an AuthZ vulnerability or weakness.

Products Associated with CVE-2026-47339

Want to know whenever a new CVE is published for Apache Apisix? stack.watch will email you.

Apache Apisix

Affected Versions

Apache Software Foundation Apache APISIX:

Version 2.14.1, <= 3.16.0 is affected.

APISIX authz-casdoor Plugin AuthZ Flaw (V2.14.1-3.16.0) CVE-2026-47339CVE-2026-47339 Published on June 19, 2026

Weakness Type

What is an AuthZ Vulnerability?

Products Associated with CVE-2026-47339

Affected Versions

APISIX authz-casdoor Plugin AuthZ Flaw (V2.14.1-3.16.0) CVE-2026-47339
CVE-2026-47339 Published on June 19, 2026