CVE-2025-46647 is an authentication bypass vulnerability categorized under CWE-302, found in the openid-connect plugin of Apache APISIX, a popular open-source API gateway. The vulnerability specifically affects deployments using the openid-connect plugin in introspection mode where the authentication service supports multiple issuers that share the same private key and rely solely on the issuer claim to differentiate authentication contexts. Under these conditions, the plugin incorrectly assumes the immutability and uniqueness of issuer data, allowing an attacker who has a valid account on one issuer to authenticate as a user on another issuer without proper authorization. This flaw arises because the plugin does not sufficiently validate the cryptographic binding between tokens and issuers when the same private key is reused, leading to an authentication bypass. The vulnerability affects all versions of Apache APISIX prior to 3.12.0, where the issue has been fixed. Exploitation requires network access and low privileges but no user interaction. The CVSS v3.1 base score is 5.3 (medium), reflecting the moderate impact on confidentiality with no impact on integrity or availability, and a high attack complexity due to the specific configuration prerequisites. No known exploits are currently reported in the wild.

For European organizations, this vulnerability could lead to unauthorized access across different issuer domains within the same authentication infrastructure, potentially compromising sensitive data and services protected by Apache APISIX. Organizations using multi-issuer OpenID Connect setups with shared private keys are at risk of cross-issuer impersonation, which could undermine trust boundaries and lead to data leakage or unauthorized service access. This is particularly critical for sectors with strict data protection regulations such as finance, healthcare, and government, where identity and access management integrity is paramount. The impact is limited to confidentiality breaches without direct integrity or availability effects, but the breach of authentication boundaries can facilitate further attacks or data exfiltration. The medium severity score indicates a moderate risk that should be addressed promptly to prevent lateral movement or privilege escalation within federated identity environments.

European organizations should immediately assess their Apache APISIX deployments to determine if the openid-connect plugin is used in introspection mode with multiple issuers sharing the same private key. The primary mitigation is to upgrade Apache APISIX to version 3.12.0 or later, where this vulnerability has been patched. Additionally, organizations should avoid sharing private keys across multiple issuers and ensure that each issuer uses distinct cryptographic keys to maintain strong issuer binding. Implement strict validation of tokens to verify both issuer and cryptographic signatures independently. Conduct thorough audits of identity provider configurations to detect any insecure key sharing practices. Employ network segmentation and access controls to limit exposure of the authentication service. Monitoring and logging authentication attempts across issuers can help detect anomalous cross-issuer access patterns. Finally, consider deploying additional multi-factor authentication layers to reduce the risk of unauthorized access even if token validation is bypassed.