Analysis Summary

CVE-2025-46647

Apache APISIX could allow a remote attacker to bypass security restrictions, caused by improper validation of issuer from introspection discovery url in plugin openid-connect. If the openid-connect plugin with introspection mode is used, the auth service connected to openid-connect provides services to multiple issuers and multiple issuers share the same private key and rely only on the issuer being different, an attacker with a valid account on one of the issuers could log into the other issuer.

Impact

• Security Bypass

Indicators of Compromise

CVE

• CVE-2025-46647

Affected Vendors

Remediation

Refer to Apache Website for patch, upgrade, or suggested workaround information.

Apache Website