Skip to main content

Apache CVE-2026-31923

| EUVDEUVD-2026-22239 HIGH
Cleartext Transmission of Sensitive Information (CWE-319)
2026-04-14 apache GHSA-j648-xxf5-44cv
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:40 vuln.today
CVSS changed
Apr 14, 2026 - 19:22 NVD
7.5 (None) 7.5 (HIGH)
EUVD ID Assigned
Apr 14, 2026 - 09:00 euvd
EUVD-2026-22239
Analysis Generated
Apr 14, 2026 - 09:00 vuln.today
CVE Published
Apr 14, 2026 - 08:38 nvd
HIGH 7.5

DescriptionCVE.org

Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.

This can occur due to ssl_verify in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0.

Users are recommended to upgrade to version 3.16.0, which fixes the issue.

AnalysisAI

Sensitive authentication tokens in Apache APISIX OpenID Connect plugin transmit in cleartext when connecting to identity providers, affecting versions 0.7 through 3.15.0. The ssl_verify parameter defaults to false, disabling TLS certificate validation and enabling potential man-in-the-middle interception of authentication credentials. With CVSS 7.5 (High), network-based attackers can intercept confidential data without authentication. EPSS probability is minimal (0.01%, 2nd percentile) with no confirmed active exploitation (CISA KEV absent), indicating theoretical risk despite high CVSS severity.

Technical ContextAI

Apache APISIX is a cloud-native API gateway built on NGINX and LuaJIT. The vulnerability resides in the openid-connect plugin, which handles OAuth 2.0/OIDC authentication flows between the gateway and identity providers. The root cause (CWE-319: Cleartext Transmission of Sensitive Information) stems from the ssl_verify configuration defaulting to false, disabling TLS certificate verification during HTTPS connections to OIDC providers. When certificate validation is disabled, the plugin accepts any certificate-including those presented by man-in-the-middle attackers-allowing interception of bearer tokens, authorization codes, and client credentials transmitted during authentication handshakes. This affects the trust relationship between APISIX and upstream identity providers across all 0.7.x through 3.15.0 releases spanning multiple years of deployments.

RemediationAI

Upgrade to Apache APISIX version 3.16.0, which changes the ssl_verify default to true and enforces TLS certificate validation in the openid-connect plugin. The Apache Software Foundation advisory at https://lists.apache.org/thread/0pjs72l7qj83j3srw1l1toyj24bsgkds confirms version 3.16.0 as the complete fix. For deployments unable to immediately upgrade, implement the workaround by explicitly setting ssl_verify to true in all openid-connect plugin configurations, ensuring certificate validation occurs for identity provider connections. Review existing plugin instances to identify and remediate configurations with ssl_verify set to false. Additionally, audit network architecture to ensure APISIX-to-IdP communications traverse trusted network segments with traffic inspection capabilities to detect potential man-in-the-middle attempts during the remediation window.

Share

CVE-2026-31923 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy