Skip to main content

Apache APISIX CVE-2026-39998

| EUVDEUVD-2026-38011 MEDIUM
Improper Input Validation (CWE-20)
2026-06-19 apache GHSA-86hq-f9pp-3cr9
5.8
CVSS 4.0 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
5.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.2 HIGH

Specific forward-auth plugin configuration required maps to AC:H; impact is on backend systems not APISIX itself (S:C); no availability impact confirmed by description.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 14:21 vuln.today
CVE Published
Jun 19, 2026 - 13:04 cve.org
MEDIUM 5.8

DescriptionCVE.org

Improper Input Validation vulnerability in Apache APISIX.

The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.

AnalysisAI

Identity header spoofing in Apache APISIX versions 2.12.0 through 3.16.0 allows a low-privileged network attacker to manipulate header values forwarded by the forward-auth plugin to upstream backend services. The flaw, rooted in improper input validation (CWE-20) of the forward-auth plugin's header handling, enables an attacker to impersonate other identities as seen by backend services that rely on APISIX to assert trustworthy identity context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate or obtain low-privilege route access
Delivery
Identify APISIX route using forward-auth plugin
Exploit
Craft HTTP request with injected identity headers
Execution
APISIX fails to validate/sanitize headers
Persist
Spoofed headers relayed to upstream backend
Impact
Backend grants elevated access based on forged identity claims

Vulnerability AssessmentAI

Exploitation Exploitation requires Apache APISIX version 2.12.0-3.16.0 with the forward-auth plugin enabled on at least one route and configured in a way that permits header spoofing (described as 'certain configuration' by the vendor but not enumerated in publicly available data - consult https://lists.apache.org/thread/vgkvy396010d7g6m0jrn4d3hjf2svlvv for specifics). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The aggregate CVSS 4.0 score of 5.8 understates the downstream blast radius: subsequent-system metrics of SC:H/SI:H/SA:H indicate that any backend service relying on APISIX's forward-auth headers for access control faces high-severity confidentiality, integrity, and availability exposure if this vulnerability is exploited. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privilege access to an APISIX route protected by the forward-auth plugin sends crafted HTTP requests containing manipulated header values that exploit the plugin's failure to validate input. APISIX forwards the spoofed identity headers to the upstream backend service, which treats them as authoritative assertions from the authentication layer and grants the attacker access to resources or permissions belonging to another user or role. …
Remediation Upgrade Apache APISIX to version 3.17.0, the vendor-confirmed fix release, as documented in the Apache security advisory at https://lists.apache.org/thread/vgkvy396010d7g6m0jrn4d3hjf2svlvw. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-39999 HIGH
7.0 Jun 19

Authentication bypass in Apache APISIX versions 2.2 through 3.16.0 allows remote attackers to circumvent authentication

CVE-2026-47341 MEDIUM
6.3 Jun 19

HMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hma

CVE-2026-49230 MEDIUM
6.3 Jun 19

Authentication bypass in Apache APISIX's jwe-decrypt plugin (versions 3.8.0 through 3.16.0) allows unauthenticated netwo

CVE-2026-49872 MEDIUM
5.3 Jun 19

Authentication bypass in Apache APISIX 3.0.0 through 3.16.0 allows a network-accessible attacker holding valid credentia

CVE-2026-47339 MEDIUM
5.3 Jun 19

Incorrect authorization in the Apache APISIX authz-casdoor plugin allows a network-authenticated attacker to cross-authe

CVE-2026-44087 MEDIUM
5.3 Jun 19

Identity header spoofing in Apache APISIX's openid-connect plugin (versions 2.3 through 3.16.0) enables low-privileged n

CVE-2026-49231 LOW
2.3 Jun 19

Identity header spoofing in the Apache APISIX OPA (Open Policy Agent) plugin allows low-privileged network attackers to

CVE-2026-44046 LOW
2.3 Jun 19

The wolf-rbac plugin in Apache APISIX 1.2.0 through 3.16.0 trusts client-controlled identity and IP data under its defau

CVE-2026-48895 LOW
2.1 Jun 19

Open redirect in Apache APISIX 3.0.0 through 3.16.0 enables unauthenticated remote attackers to manipulate specific HTTP

CVE-2026-44915 LOW
2.1 Jun 19

Open redirect in Apache APISIX's cas-auth plugin exposes users to phishing and credential theft when the plugin is used

CVE-2026-49871 LOW
2.1 Jun 19

The cas-auth plugin in Apache APISIX 3.0.0-3.16.0 enables identity substitution via CSRF under its default configuration

Share

CVE-2026-39998 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy