The vulnerability of the Introspection Mode feature of the openid-connect plugin for the Apache APISIX cloud API gateway allows a attacker to gain access to the user’s account.

The vulnerability of the Introspection Mode feature in the openid-connect plugin for the Apache APISIX cloud API gateway involves bypassing authentication by using the same secret key. Exploiting this vulnerability could allow a malicious actor to gain access to a user’s account remotely...

BIT-APISIX-2025-46647 Apache APISIX: improper validation of issuer from introspection discovery url in plugin openid-connect

A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multiple issuers 3...

PT-2025-27623 · Apache · Apache Apisix

Name of the Vulnerable Software and Affected Versions: Apache APISIX versions prior to 3.12.0 Description: A vulnerability in the openid-connect plugin of Apache APISIX allows an attacker with a valid account on one issuer to log into another issuer, given certain conditions. These conditions...