Skip to main content

Apache APISIX CVE-2026-44087

| EUVDEUVD-2026-38017 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-19 apache GHSA-4v22-j8v6-qgvh
5.3
CVSS 4.0 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.6 CRITICAL

Network-exploitable with low privileges; scope changes to backend resources (S:C) with full confidentiality/integrity impact on downstream services but no availability or APISIX-local impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 14:23 vuln.today
CVE Published
Jun 19, 2026 - 13:11 cve.org
MEDIUM 5.3

DescriptionCVE.org

Insufficient Verification of Data Authenticity vulnerability in Apache APISIX.

The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. This issue affects Apache APISIX: from 2.3 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.

AnalysisAI

Identity header spoofing in Apache APISIX's openid-connect plugin (versions 2.3 through 3.16.0) enables low-privileged network attackers to bypass authentication controls and gain unauthorized access to protected upstream resources. The plugin, under its default configuration, fails to strip or validate incoming identity-bearing HTTP headers presented by clients before forwarding requests to backend services, allowing an attacker to inject arbitrary identity claims. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged API access
Delivery
Identify identity header names used by openid-connect plugin
Exploit
Craft request with spoofed identity headers
Execution
Submit to APISIX gateway endpoint
Persist
Plugin forwards headers without stripping
Impact
Backend service grants unauthorized access

Vulnerability AssessmentAI

Exploitation The openid-connect plugin must be actively deployed within the Apache APISIX instance - this is not a vulnerability in the APISIX core itself, but specifically in the plugin when used. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (Medium) is tempered by AT:P (attack requirements present), signaling a specific prerequisite condition beyond the attacker's full control - in this case, the openid-connect plugin being deployed and active. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privileged access to an Apache APISIX gateway (versions 2.3-3.16.0) running the openid-connect plugin crafts an HTTP request containing spoofed identity headers - for example, setting X-Consumer-Username to an admin account - before the plugin validates the OIDC session. Because the plugin's default configuration does not strip these incoming headers, APISIX forwards the fabricated identity claims to the upstream protected service, which trusts them as authoritative and grants the attacker unauthorized access or elevated privileges. …
Remediation The primary fix is to upgrade Apache APISIX to version 3.17.0 or later, which resolves the identity header spoofing issue in the openid-connect plugin, per the Apache advisory at https://lists.apache.org/thread/72ryrgdssk6s2x9d6xn14bxyyl878xfm. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-39999 HIGH
7.0 Jun 19

Authentication bypass in Apache APISIX versions 2.2 through 3.16.0 allows remote attackers to circumvent authentication

CVE-2026-47341 MEDIUM
6.3 Jun 19

HMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hma

CVE-2026-49230 MEDIUM
6.3 Jun 19

Authentication bypass in Apache APISIX's jwe-decrypt plugin (versions 3.8.0 through 3.16.0) allows unauthenticated netwo

CVE-2026-39998 MEDIUM
5.8 Jun 19

Identity header spoofing in Apache APISIX versions 2.12.0 through 3.16.0 allows a low-privileged network attacker to man

CVE-2026-49872 MEDIUM
5.3 Jun 19

Authentication bypass in Apache APISIX 3.0.0 through 3.16.0 allows a network-accessible attacker holding valid credentia

CVE-2026-47339 MEDIUM
5.3 Jun 19

Incorrect authorization in the Apache APISIX authz-casdoor plugin allows a network-authenticated attacker to cross-authe

CVE-2026-49231 LOW
2.3 Jun 19

Identity header spoofing in the Apache APISIX OPA (Open Policy Agent) plugin allows low-privileged network attackers to

CVE-2026-44046 LOW
2.3 Jun 19

The wolf-rbac plugin in Apache APISIX 1.2.0 through 3.16.0 trusts client-controlled identity and IP data under its defau

CVE-2026-48895 LOW
2.1 Jun 19

Open redirect in Apache APISIX 3.0.0 through 3.16.0 enables unauthenticated remote attackers to manipulate specific HTTP

CVE-2026-44915 LOW
2.1 Jun 19

Open redirect in Apache APISIX's cas-auth plugin exposes users to phishing and credential theft when the plugin is used

CVE-2026-49871 LOW
2.1 Jun 19

The cas-auth plugin in Apache APISIX 3.0.0-3.16.0 enables identity substitution via CSRF under its default configuration

Share

CVE-2026-44087 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy