Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.
tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0.
Users are recommended to upgrade to version 3.16.0, which fixes the issue.
AnalysisAI
Apache APISIX 2.99.0 through 3.15.0 transmits sensitive log data in cleartext over HTTP when exporting logs to Tencent Cloud CLS, allowing network-based attackers to intercept and read confidential information without authentication. Vendor-released patch: version 3.16.0. EPSS indicates low real-world exploitation probability (0.01%), though the attack vector is unauthenticated and low-complexity, suggesting availability of automated interception tools rather than active targeted exploitation.
Technical ContextAI
The vulnerability resides in Apache APISIX's Tencent Cloud CLS (Cloud Log Service) export plugin, which handles transmission of log data containing potentially sensitive operational and security information. The underlying issue is the use of unencrypted HTTP instead of HTTPS for log transmission, violating CWE-319 (Cleartext Transmission of Sensitive Information). This affects the entire APISIX API gateway platform, which is widely used for API traffic management and observability; the CPE cpe:2.3:a:apache_software_foundation:apache_apisix indicates the vulnerability applies to all APISIX instances with the affected CLS export feature enabled across versions 2.99.0 through 3.15.0.
RemediationAI
Upgrade Apache APISIX to version 3.16.0 or later, which enforces HTTPS for Tencent Cloud CLS log export. Users unable to upgrade immediately should disable the CLS export plugin or restrict outbound log transmission to isolated network segments not accessible to untrusted parties. If CLS export must remain active in pre-3.16.0 deployments, configure a reverse proxy or VPN tunnel to encrypt the log transmission path. Consult the Apache APISIX advisory at https://lists.apache.org/thread/sqxjjlt87c1q28db28ztdxylm5pgwohq for version-specific upgrade guidance.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22227
GHSA-ww73-h4g4-66vr