Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
6DescriptionCVE.org
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.
This can occur due to ssl_verify in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0.
Users are recommended to upgrade to version 3.16.0, which fixes the issue.
AnalysisAI
Sensitive authentication tokens in Apache APISIX OpenID Connect plugin transmit in cleartext when connecting to identity providers, affecting versions 0.7 through 3.15.0. The ssl_verify parameter defaults to false, disabling TLS certificate validation and enabling potential man-in-the-middle interception of authentication credentials. With CVSS 7.5 (High), network-based attackers can intercept confidential data without authentication. EPSS probability is minimal (0.01%, 2nd percentile) with no confirmed active exploitation (CISA KEV absent), indicating theoretical risk despite high CVSS severity.
Technical ContextAI
Apache APISIX is a cloud-native API gateway built on NGINX and LuaJIT. The vulnerability resides in the openid-connect plugin, which handles OAuth 2.0/OIDC authentication flows between the gateway and identity providers. The root cause (CWE-319: Cleartext Transmission of Sensitive Information) stems from the ssl_verify configuration defaulting to false, disabling TLS certificate verification during HTTPS connections to OIDC providers. When certificate validation is disabled, the plugin accepts any certificate-including those presented by man-in-the-middle attackers-allowing interception of bearer tokens, authorization codes, and client credentials transmitted during authentication handshakes. This affects the trust relationship between APISIX and upstream identity providers across all 0.7.x through 3.15.0 releases spanning multiple years of deployments.
RemediationAI
Upgrade to Apache APISIX version 3.16.0, which changes the ssl_verify default to true and enforces TLS certificate validation in the openid-connect plugin. The Apache Software Foundation advisory at https://lists.apache.org/thread/0pjs72l7qj83j3srw1l1toyj24bsgkds confirms version 3.16.0 as the complete fix. For deployments unable to immediately upgrade, implement the workaround by explicitly setting ssl_verify to true in all openid-connect plugin configurations, ensuring certificate validation occurs for identity provider connections. Review existing plugin instances to identify and remediate configurations with ssl_verify set to false. Additionally, audit network architecture to ensure APISIX-to-IdP communications traverse trusted network segments with traffic inspection capabilities to detect potential man-in-the-middle attempts during the remediation window.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22239
GHSA-j648-xxf5-44cv