Skip to main content

Apache APISIX EUVDEUVD-2026-38020

| CVE-2026-49231 LOW
Authentication Bypass by Spoofing (CWE-290)
2026-06-19 apache GHSA-3cm7-pvjf-2x7q
2.3
CVSS 4.0 · Vendor: apache

Severity by source

Vendor (apache) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.9 MEDIUM

Non-default configuration prerequisite (AT:P in 4.0) maps to AC:H; low privileges required; only subsequent-system confidentiality and integrity are affected at low severity.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 19, 2026 - 14:24 vuln.today

DescriptionCVE.org

Authentication Bypass by Spoofing vulnerability in opa plugin.

An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin.

This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX: from 3.5.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.

AnalysisAI

Identity header spoofing in the Apache APISIX OPA (Open Policy Agent) plugin allows low-privileged network attackers to relay forged identity headers to upstream services, potentially assuming elevated privileges on those services. Versions 3.5.0 through 3.16.0 are affected, but only when the OPA plugin is deployed in a non-default configuration that fails to sanitize inbound identity headers before forwarding them. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to APISIX with low privileges
Delivery
Identify OPA-plugin-protected route
Exploit
Craft HTTP request with spoofed high-privilege identity headers
Execution
Submit request through the gateway
Persist
OPA plugin relays headers unmodified due to non-default config
Impact
Upstream service trusts spoofed identity and grants elevated access

Vulnerability AssessmentAI

Exploitation Exploitation requires two specific conditions to be simultaneously true: first, the Apache APISIX OPA plugin must be enabled and deployed in a non-default configuration that does not sanitize or strip identity headers from inbound client requests before forwarding them upstream; second, the attacker must have at least low-level authenticated access to the gateway (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 2.3 accurately reflects a low-priority issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-level authenticated access to an Apache APISIX deployment (versions 3.5.0-3.16.0) where the OPA plugin is running in a non-default configuration crafts HTTP requests that include spoofed identity headers asserting a higher-privileged identity. APISIX, without stripping or validating these headers, forwards the full request to the upstream service, which trusts the injected identity and grants access or capabilities intended for the spoofed higher-privileged user. …
Remediation Upgrade Apache APISIX to version 3.17.0, which resolves the issue per the vendor advisory at https://lists.apache.org/thread/s1jd1vxm59p6ghx47xhmpjdk1cobo4hn. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-39999 HIGH
7.0 Jun 19

Authentication bypass in Apache APISIX versions 2.2 through 3.16.0 allows remote attackers to circumvent authentication

CVE-2026-47341 MEDIUM
6.3 Jun 19

HMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hma

CVE-2026-49230 MEDIUM
6.3 Jun 19

Authentication bypass in Apache APISIX's jwe-decrypt plugin (versions 3.8.0 through 3.16.0) allows unauthenticated netwo

CVE-2026-39998 MEDIUM
5.8 Jun 19

Identity header spoofing in Apache APISIX versions 2.12.0 through 3.16.0 allows a low-privileged network attacker to man

CVE-2026-49872 MEDIUM
5.3 Jun 19

Authentication bypass in Apache APISIX 3.0.0 through 3.16.0 allows a network-accessible attacker holding valid credentia

CVE-2026-47339 MEDIUM
5.3 Jun 19

Incorrect authorization in the Apache APISIX authz-casdoor plugin allows a network-authenticated attacker to cross-authe

CVE-2026-44087 MEDIUM
5.3 Jun 19

Identity header spoofing in Apache APISIX's openid-connect plugin (versions 2.3 through 3.16.0) enables low-privileged n

CVE-2026-44046 LOW
2.3 Jun 19

The wolf-rbac plugin in Apache APISIX 1.2.0 through 3.16.0 trusts client-controlled identity and IP data under its defau

CVE-2026-48895 LOW
2.1 Jun 19

Open redirect in Apache APISIX 3.0.0 through 3.16.0 enables unauthenticated remote attackers to manipulate specific HTTP

CVE-2026-44915 LOW
2.1 Jun 19

Open redirect in Apache APISIX's cas-auth plugin exposes users to phishing and credential theft when the plugin is used

CVE-2026-49871 LOW
2.1 Jun 19

The cas-auth plugin in Apache APISIX 3.0.0-3.16.0 enables identity substitution via CSRF under its default configuration

Share

EUVD-2026-38020 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy