A newly disclosed vulnerability, CVE-2025-46647, has been recognized within the openid-connect plugin of Apache APISIX, a broadly used open-source API gateway.
This flaw, rated as vital, might permit attackers to realize unauthorized entry throughout completely different id issuers underneath particular misconfigurations.
The vulnerability was reported by JunXu Chen to the Apache APISIX improvement mailing listing on July 2, 2025, and credited to safety researcher Tiernan Messmer.
| CVE ID | Product | Affected Variations | Fastened Model | Severity |
| CVE-2025-46647 | Apache APISIX | < 3.12.0 | 3.12.0 | Necessary |
Technical Particulars
The vulnerability arises from improper validation of the issuer when utilizing the openid-connect plugin in introspection mode.
Particularly, the plugin fails to adequately confirm the issuer from the introspection discovery URL, which may be exploited in sure multi-issuer environments.
This vulnerability solely impacts deployments that meet all of the next circumstances:
- The openid-connect plugin is enabled and configured in introspection mode.
- The authentication service linked to the plugin helps a number of issuers.
- These issuers share the identical non-public key and rely solely on the issuer worth for differentiation.
If these circumstances are met, an attacker with legitimate credentials for one issuer might doubtlessly use their token to entry sources protected by one other issuer, successfully bypassing cross-issuer boundaries.
The flaw is especially regarding for organizations utilizing a single id supplier throughout a number of logical domains, reminiscent of in multi-tenant enterprise environments or federated cloud architectures.
In such instances, improper issuer validation might result in unauthorized entry to delicate sources, undermining the safety mannequin of the affected programs.
Affected Variations
| Software program | Affected Variations | Fastened Model |
| Apache APISIX | < 3.12.0 | 3.12.0 |
All customers operating Apache APISIX variations prior to three.12.0 are strongly suggested to improve to model 3.12.0 or later.
The Apache APISIX staff has addressed the difficulty on this launch, making certain correct validation of the issuer within the openid-connect plugin.
Unique Webinar Alert: Harnessing Intel® Processor Improvements for Superior API Safety – Register for Free
