Skip to main content

Apache APISIX CVE-2026-49871

| EUVDEUVD-2026-38025 LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-19 apache GHSA-rrqp-g94p-gmh7
2.1
CVSS 4.0 · Vendor: apache

Severity by source

Vendor (apache) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.4 LOW

Victim must actively visit attacker's page during a CAS flow (AC:H, UI:R); only downstream identity integrity is affected, triggering scope change (S:C, I:L).

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 19, 2026 - 14:26 vuln.today

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations.

This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity.

Actions the victim takes upstream are then attributed to attackers identity.

This issue affects Apache APISIX: from 3.0.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.

AnalysisAI

The cas-auth plugin in Apache APISIX 3.0.0-3.16.0 enables identity substitution via CSRF under its default configuration. An attacker who lures a victim to an attacker-controlled webpage can cause the victim's browser to complete a CAS authentication handshake as the attacker's identity within the APISIX gateway. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker obtains victim's APISIX CAS-auth endpoint details
Delivery
Craft malicious webpage with CSRF payload targeting CAS callback
Exploit
Socially engineer victim to visit attacker-controlled page
Execution
Victim's browser triggers CAS authentication redirect
Persist
APISIX completes auth handshake under attacker's identity
Impact
Victim's subsequent API gateway actions attributed to attacker's account

Vulnerability AssessmentAI

Exploitation Exploitation requires Apache APISIX 3.0.0-3.16.0 with the cas-auth plugin enabled under its default configuration - deployments using other authentication plugins (jwt-auth, key-auth, basic-auth, etc.) are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 2.1 (AV:N/AC:L/AT:P/PR:N/UI:A) is low and accurately reflects constrained real-world impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a webpage containing a hidden cross-origin request that triggers or redirects a CAS authentication callback targeting the victim's APISIX gateway instance. When the victim - who has the cas-auth plugin active and is susceptible to a CAS redirect - visits this page, their browser completes the CAS handshake and APISIX authenticates the session under the attacker's identity. …
Remediation The primary remediation is to upgrade Apache APISIX to version 3.17.0, which resolves the CSRF flaw in the cas-auth plugin, as confirmed by the Apache Software Foundation advisory at https://lists.apache.org/thread/1ozsnss0lof4gpwq763d66oxwxt3sycp. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-39999 HIGH
7.0 Jun 19

Authentication bypass in Apache APISIX versions 2.2 through 3.16.0 allows remote attackers to circumvent authentication

CVE-2026-47341 MEDIUM
6.3 Jun 19

HMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hma

CVE-2026-49230 MEDIUM
6.3 Jun 19

Authentication bypass in Apache APISIX's jwe-decrypt plugin (versions 3.8.0 through 3.16.0) allows unauthenticated netwo

CVE-2026-39998 MEDIUM
5.8 Jun 19

Identity header spoofing in Apache APISIX versions 2.12.0 through 3.16.0 allows a low-privileged network attacker to man

CVE-2026-49872 MEDIUM
5.3 Jun 19

Authentication bypass in Apache APISIX 3.0.0 through 3.16.0 allows a network-accessible attacker holding valid credentia

CVE-2026-47339 MEDIUM
5.3 Jun 19

Incorrect authorization in the Apache APISIX authz-casdoor plugin allows a network-authenticated attacker to cross-authe

CVE-2026-44087 MEDIUM
5.3 Jun 19

Identity header spoofing in Apache APISIX's openid-connect plugin (versions 2.3 through 3.16.0) enables low-privileged n

CVE-2026-49231 LOW
2.3 Jun 19

Identity header spoofing in the Apache APISIX OPA (Open Policy Agent) plugin allows low-privileged network attackers to

CVE-2026-44046 LOW
2.3 Jun 19

The wolf-rbac plugin in Apache APISIX 1.2.0 through 3.16.0 trusts client-controlled identity and IP data under its defau

CVE-2026-48895 LOW
2.1 Jun 19

Open redirect in Apache APISIX 3.0.0 through 3.16.0 enables unauthenticated remote attackers to manipulate specific HTTP

CVE-2026-44915 LOW
2.1 Jun 19

Open redirect in Apache APISIX's cas-auth plugin exposes users to phishing and credential theft when the plugin is used

Share

CVE-2026-49871 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy