Skip to main content

Apache APISIX CVE-2026-44046

| EUVDEUVD-2026-38014 LOW
Use of Less Trusted Source (CWE-348)
2026-06-19 apache GHSA-pmhp-pr8x-258q
2.3
CVSS 4.0 · Vendor: apache

Severity by source

Vendor (apache) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.5 LOW

Network vector with PR:L because low-privilege access is required; AC:H reflects the specific wolf-rbac plugin configuration prerequisite; S:C captures downstream log and IP ACL integrity impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 19, 2026 - 14:21 vuln.today

DescriptionCVE.org

Use of Less Trusted Source vulnerability in Apache APISIX.

Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.

AnalysisAI

The wolf-rbac plugin in Apache APISIX 1.2.0 through 3.16.0 trusts client-controlled identity and IP data under its default configuration, allowing a low-privileged network attacker to inject spoofed identity information into application logs and manipulate IP-based access control rule evaluation. Rooted in CWE-348 (Use of Less-Trusted Source), the plugin accepts identity claims from a less-trusted input channel rather than authoritative internal state. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege access to APISIX gateway
Delivery
Craft requests with spoofed identity or IP headers
Exploit
wolf-rbac plugin trusts client-supplied source data
Execution
False identity injected into application audit logs
Persist
Spoofed IP bypasses IP-based access control rules
Impact
Access unauthorized API routes or obscure attacker identity in logs

Vulnerability AssessmentAI

Exploitation The wolf-rbac plugin must be explicitly enabled in Apache APISIX and configured on at least one route or service - it is not active in all default APISIX deployments and must be deliberately integrated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.3 (Very Low) accurately reflects the limited impact envelope of this vulnerability: only subsequent-system integrity is affected at a low level (SI:L), with no confidentiality or availability impacts on either the vulnerable component or downstream systems per the vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged attacker with valid credentials or permitted access to an APISIX API gateway running the wolf-rbac plugin in its default configuration crafts HTTP requests that include spoofed identity or IP headers which the plugin accepts as authoritative. The attacker can inject arbitrary identity strings into audit logs - implicating other users or masking their own activity - and simultaneously present a trusted IP address to bypass IP-based access control rules enforced by the plugin. …
Remediation Vendor-released patch: Apache APISIX 3.17.0, as documented in the Apache Software Foundation advisory at https://lists.apache.org/thread/xkshmps51b24yw0qckl5h5ddyv0x6qf9. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-39999 HIGH
7.0 Jun 19

Authentication bypass in Apache APISIX versions 2.2 through 3.16.0 allows remote attackers to circumvent authentication

CVE-2026-47341 MEDIUM
6.3 Jun 19

HMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hma

CVE-2026-49230 MEDIUM
6.3 Jun 19

Authentication bypass in Apache APISIX's jwe-decrypt plugin (versions 3.8.0 through 3.16.0) allows unauthenticated netwo

CVE-2026-39998 MEDIUM
5.8 Jun 19

Identity header spoofing in Apache APISIX versions 2.12.0 through 3.16.0 allows a low-privileged network attacker to man

CVE-2026-49872 MEDIUM
5.3 Jun 19

Authentication bypass in Apache APISIX 3.0.0 through 3.16.0 allows a network-accessible attacker holding valid credentia

CVE-2026-47339 MEDIUM
5.3 Jun 19

Incorrect authorization in the Apache APISIX authz-casdoor plugin allows a network-authenticated attacker to cross-authe

CVE-2026-44087 MEDIUM
5.3 Jun 19

Identity header spoofing in Apache APISIX's openid-connect plugin (versions 2.3 through 3.16.0) enables low-privileged n

CVE-2026-49231 LOW
2.3 Jun 19

Identity header spoofing in the Apache APISIX OPA (Open Policy Agent) plugin allows low-privileged network attackers to

CVE-2026-48895 LOW
2.1 Jun 19

Open redirect in Apache APISIX 3.0.0 through 3.16.0 enables unauthenticated remote attackers to manipulate specific HTTP

CVE-2026-44915 LOW
2.1 Jun 19

Open redirect in Apache APISIX's cas-auth plugin exposes users to phishing and credential theft when the plugin is used

CVE-2026-49871 LOW
2.1 Jun 19

The cas-auth plugin in Apache APISIX 3.0.0-3.16.0 enables identity substitution via CSRF under its default configuration

Share

CVE-2026-44046 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy