GHSA-3mg6-56vq-7899 · Severity: medium — Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt...
Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass. This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Conclusion & alert: CVE-2026-49230 is rated Low Risk (30/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.23%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-23 | — | 0.23% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.3 | 4.0 | MEDIUM |
|
— | — | [email protected] |
| 9.1 | 3.1 | CRITICAL |
|
3.9 | 5.2 | [email protected] |
GHSA-3mg6-56vq-7899 · Severity: medium — Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt...
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/n0blgkpvz38ghh5rrh6wtl476919xj1b | Vendor Advisory Mailing List |
| http://www.openwall.com/lists/oss-security/2026/06/19/12 | Third Party Advisory |