A newly disclosed vulnerability, CVE-2025-46647, has been identified in the openid-connect plugin of Apache APISIX, a widely used open-source API gateway.
This flaw, rated as important, could allow attackers to gain unauthorized access across different identity issuers under specific misconfigurations.
The vulnerability was reported by JunXu Chen to the Apache APISIX development mailing list on July 2, 2025, and credited to security researcher Tiernan Messmer.
| CVE ID | Product | Affected Versions | Fixed Version | Severity |
| CVE-2025-46647 | Apache APISIX | < 3.12.0 | 3.12.0 | Important |
Technical Details
The vulnerability arises from improper validation of the issuer when using the openid-connect plugin in introspection mode.
Specifically, the plugin fails to adequately verify the issuer from the introspection discovery URL, which can be exploited in certain multi-issuer environments.
This vulnerability only impacts deployments that meet all of the following conditions:
- The openid-connect plugin is enabled and configured in introspection mode.
- The authentication service connected to the plugin supports multiple issuers.
- These issuers share the same private key and rely solely on the issuer value for differentiation.
If these conditions are met, an attacker with valid credentials for one issuer could potentially use their token to access resources protected by another issuer, effectively bypassing cross-issuer boundaries.
The flaw is particularly concerning for organizations using a single identity provider across multiple logical domains, such as in multi-tenant enterprise environments or federated cloud architectures.
In such cases, improper issuer validation could lead to unauthorized access to sensitive resources, undermining the security model of the affected systems.
Affected Versions
| Software | Affected Versions | Fixed Version |
| Apache APISIX | < 3.12.0 | 3.12.0 |
All users running Apache APISIX versions prior to 3.12.0 are strongly advised to upgrade to version 3.12.0 or later.
The Apache APISIX team has addressed the issue in this release, ensuring proper validation of the issuer in the openid-connect plugin.
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
