Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible with no privileges required, but mandatory user interaction; scope change captures session token exposure on the victim's subsequent system, with low confidentiality and integrity impact.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX.
The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token.
This issue affects Apache APISIX: from 3.0.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue.
AnalysisAI
Open redirect in Apache APISIX 3.0.0 through 3.16.0 enables unauthenticated remote attackers to manipulate specific HTTP client headers, causing victim users to be redirected to attacker-controlled sites with potential session token leakage. Exploitation requires active user interaction and specific attack conditions (CVSS 4.0 AT:P, UI:A), yielding a vendor-assigned score of 2.1 (Low) - limiting realistic exposure to targeted phishing scenarios rather than opportunistic mass exploitation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires Apache APISIX versions 3.0.0-3.16.0 to be processing HTTP requests where attacker-manipulated client headers (described in the advisory as 'some client headers' - the specific header names are not disclosed in available data) are used as input to redirect logic. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 2.1 (Low) reflects a constrained threat model: attack requirements must be present (AT:P), the victim must actively follow a crafted link (UI:A), and all impact is confined to subsequent systems at a low level (SC:L, SI:L), with zero direct impact on the APISIX host itself (VC:N, VI:N, VA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a browser-facing APISIX 3.0.0-3.16.0 deployment and crafts a URL to a legitimate APISIX endpoint with a manipulated HTTP header (such as a spoofed Host or X-Forwarded-Host value) pointing to an attacker-controlled domain. The link is delivered to an authenticated victim via phishing; when clicked, APISIX processes the manipulated header and issues a redirect response to the attacker's site, where the victim's session token arrives via the Referer header or is embedded in the redirect URL. … |
| Remediation | Upgrade Apache APISIX to version 3.17.0, which is the vendor-confirmed fix per the Apache Software Foundation advisory at https://lists.apache.org/thread/yo1kq93ds69zbgjjopop7dmzm7zhj1gq. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38023
GHSA-q562-qrm6-7p84