[Verse 1] Apache APISIX got a triple threat today Three CVEs sitting at nine-point-one, CVSS no delay First up CVE-2026-39999, jwt-auth plugin misbehaves Certain configurations let an attacker slip through the gates No password, no token, no credential at the door They've bypassed authentication, walked straight across your floor [Chorus] APISIX under siege, the gateway cracked wide open CVE stack, nine-point-one, the perimeter broken Spoof the identity, forge the request, decrypt the key Four flaws in your API, June twenty-fifth, twenty-twenty-six spree Patch it fast, configure tight, default settings bite Apache APISIX bearing wounds across the site [Verse 2] CVE-2026-44087, openid-connect is the scene Default configuration leaves a surface unforeseen Insufficient verification means the attacker spoofs who's who The plugin trusts the wrong voice, hands the kingdom over to you Identity hijacked like a signature on a blank check The plugin never questioned it, never ran a second check [Chorus] APISIX under siege, the gateway cracked wide open CVE stack, nine-point-one, the perimeter broken Spoof the identity, forge the request, decrypt the key Four flaws in your API, June twenty-fifth, twenty-twenty-six spree Patch it fast, configure tight, default settings bite Apache APISIX bearing wounds across the site [Verse 3] CVE-2026-49230, jwe-decrypt takes the stage Improper validation of the integrity check, nine-point-one rage The plugin skips confirming that the encrypted payload's clean Authentication bypass through the cracks between the seams Three separate plugins, three separate holes to fall Same severity, same platform, same Apache APISIX wall [Bridge] Then comes nine-point-THREE — CVE-2026-49871 cas-auth plugin, CSRF, the nastiest one A remote attacker tricks a victim, sends them to a page they own Cross-site request forgery, commands sent from a foreign zone The victim's session weaponized, the action isn't theirs The gateway executes the fraud without a single flare [Chorus] APISIX under siege, the gateway cracked wide open CVE stack, nine-point-one, the perimeter broken Spoof the identity, forge the request, decrypt the key Four flaws in your API, June twenty-fifth, twenty-twenty-six spree Patch it fast, configure tight, default settings bite Apache APISIX bearing wounds across the site [Outro] Four vulnerabilities, one platform, defaults are the trap Review your jwt-auth, your openid-connect on the map jwe-decrypt needs validation, cas-auth needs CSRF defense June twenty-fifth advisory — tighten up your fence
← Critical CVEs (2 of 3) — June 25, 2026 | IT Security News — June 25, 2026 →