Apache APISIX 3.11-3.16 HMAC Auth Auth Bypass via Capture-Replay, Fixed 3.17
CVE-2026-47341 Published on June 19, 2026
Apache APISIX: Session replay issue in hmac-auth
Authentication Bypass by Capture-replay vulnerability in Apache APISIX.
Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry.
This issue affects Apache APISIX: from 3.11.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Weakness Type
Authentication Bypass by Capture-replay
A capture-replay flaw exists when the design of the software makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). Capture-replay attacks are common and can be difficult to defeat without cryptography. They are a subset of network injection attacks that rely on observing previously-sent valid commands, then changing them slightly if necessary and resending the same commands to the server.
Products Associated with CVE-2026-47341
Want to know whenever a new CVE is published for Apache Apisix? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache APISIX:- Version 3.11.0, <= 3.16.0 is affected.