Apache APISIX OpenID Plugin Flaw Enables Unauthorized Access

EXECUTIVE SUMMARY:

A vulnerability (CVE-2025-46647) has been identified in Apache APISIX’s OpenID Connect plugin, rated "Important" in severity (CVSS score of 7.4). The flaw allows unauthorized cross-issuer access when specific misconfigurations are present. An attacker with valid credentials from one issuer can reuse their token to access resources from another issuer if both share the same private key and rely only on issuer value for validation. This impacts Apache APISIX versions before 3.12.0, particularly in multi-issuer setups using introspection mode.[emaillocker id="1283"]

• CVE-2025-46647: This vulnerability occurs in the OpenID Connect plugin when running in introspection mode with multiple issuers sharing the same private key. If issuer validation is improperly enforced, an attacker can bypass authentication checks by reusing a valid token from one issuer to access another issuer’s resources. The flaw primarily affects environments like multi-tenant systems or federated cloud architectures where a single identity provider manages multiple logical domains.

This vulnerability can enable unauthorized access across security domains when misconfigured, posing risks to environments using shared authentication setups. It highlights the importance of strict validation in multi-issuer systems.

RECOMMENDATION:

• We strongly recommend you update Apache APISIX to version 3.12.0 or later.

REFERENCES:

The following reports contain further technical details:

• https://securityonline.info/apache-apisix-flaw-cve-2025-46647-token-issuer-bypass-in-openid-connect-allows-cross-issuer-access/