Severity
Medium
Analysis Summary
CVE-2025-46647
Apache APISIX could allow a remote attacker to bypass security restrictions, caused by improper validation of issuer from introspection discovery url in plugin openid-connect. If the openid-connect plugin with introspection mode is used, the auth service connected to openid-connect provides services to multiple issuers and multiple issuers share the same private key and rely only on the issuer being different, an attacker with a valid account on one of the issuers could log into the other issuer.
Impact
- Security Bypass
Indicators of Compromise
CVE
CVE-2025-46647
Affected Vendors
Apache
Affected Products
- Apache APISIX - 3.11.0
Remediation
Refer to Apache Website for patch, upgrade, or suggested workaround information.