EUVD-2026-22239

| CVE-2026-31923 HIGH
2026-04-14 apache GHSA-j648-xxf5-44cv
Information Disclosure Apache Apache Apisix
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 14, 2026 - 19:40 vuln.today
CVSS Changed
Apr 14, 2026 - 19:22 NVD
7.5 (None) 7.5 (HIGH)

DescriptionNVD

Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.

This can occur due to ssl_verify in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0.

Users are recommended to upgrade to version 3.16.0, which fixes the issue.

AnalysisAI

Sensitive authentication tokens in Apache APISIX OpenID Connect plugin transmit in cleartext when connecting to identity providers, affecting versions 0.7 through 3.15.0. The ssl_verify parameter defaults to false, disabling TLS certificate validation and enabling potential man-in-the-middle interception of authentication credentials. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all APISIX deployments and determine current versions; identify instances using OpenID Connect plugin. Within 7 days: Implement network segmentation to restrict APISIX-to-identity-provider communication to trusted networks only; manually enable TLS certificate validation by setting ssl_verify to true in OpenID Connect plugin configuration. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-22239 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy