Apache Apisix
Monthly
Authentication bypass in Apache APISIX 3.0.0 through 3.16.0 allows a network-accessible attacker holding valid credentials from an alternate CAS (Central Authentication Service) source to authenticate against routes protected by the cas-auth plugin, circumventing intended access controls on protected backend APIs. The flaw, rooted in insufficient credential-origin validation within the cas-auth plugin (CWE-287), enables a credential confusion attack across identity sources - potentially granting unauthorized access to downstream systems the gateway is meant to protect. No public exploit code or CISA KEV listing exists at time of analysis; Apache has released version 3.17.0 as the confirmed fix.
The cas-auth plugin in Apache APISIX 3.0.0-3.16.0 enables identity substitution via CSRF under its default configuration. An attacker who lures a victim to an attacker-controlled webpage can cause the victim's browser to complete a CAS authentication handshake as the attacker's identity within the APISIX gateway. Subsequent API gateway actions performed by the victim are then recorded and authorized under the attacker's account, creating audit trail corruption and potential authorization abuse. No public exploit code exists and this CVE is not listed in CISA KEV at time of analysis.
HMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hmac-auth signed token to reuse that token indefinitely, entirely bypassing expiry enforcement under certain plugin configurations. The CVSS 4.0 vector (6.3, AT:P) confirms exploitation depends on a specific hmac-auth configuration condition, limiting blanket exposure but posing significant risk to affected deployments where tokens can be intercepted. No public exploit code or CISA KEV listing has been identified at time of analysis; the fix is available in version 3.17.0 per the Apache security advisory.
Open redirect in Apache APISIX 3.0.0 through 3.16.0 enables unauthenticated remote attackers to manipulate specific HTTP client headers, causing victim users to be redirected to attacker-controlled sites with potential session token leakage. Exploitation requires active user interaction and specific attack conditions (CVSS 4.0 AT:P, UI:A), yielding a vendor-assigned score of 2.1 (Low) - limiting realistic exposure to targeted phishing scenarios rather than opportunistic mass exploitation. No public exploit code or CISA KEV listing exists at time of analysis; the Apache Software Foundation has released a vendor-confirmed fix in version 3.17.0.
Identity header spoofing in the Apache APISIX OPA (Open Policy Agent) plugin allows low-privileged network attackers to relay forged identity headers to upstream services, potentially assuming elevated privileges on those services. Versions 3.5.0 through 3.16.0 are affected, but only when the OPA plugin is deployed in a non-default configuration that fails to sanitize inbound identity headers before forwarding them. No public exploit or active exploitation has been identified; the CVSS 4.0 score of 2.3 reflects the constrained real-world impact driven by the specific configuration prerequisite and the limitation that only downstream upstream services are affected rather than APISIX itself.
Authentication bypass in Apache APISIX's jwe-decrypt plugin (versions 3.8.0 through 3.16.0) allows unauthenticated network attackers to circumvent JWE token integrity validation and reach services protected by the gateway. The root cause (CWE-354) is improper validation of the JWE authentication tag under the plugin's default configuration, meaning crafted or tampered tokens are accepted as legitimate. No public exploit code and no CISA KEV listing are identified at time of analysis; the vendor-released fix is Apache APISIX 3.17.0.
Open redirect in Apache APISIX's cas-auth plugin exposes users to phishing and credential theft when the plugin is used in its default configuration. Affected are all APISIX deployments running versions 3.0.0 through 3.16.0 with cas-auth enabled. An unauthenticated remote attacker can craft a malicious CAS authentication URL that redirects victims to an attacker-controlled site, enabling session hijacking or credential harvesting. No public exploit or KEV listing is recorded at time of analysis, and the CVSS 4.0 base score of 2.1 reflects the attacker's dependence on user interaction and the absence of direct system-level impact.
Identity header spoofing in Apache APISIX's openid-connect plugin (versions 2.3 through 3.16.0) enables low-privileged network attackers to bypass authentication controls and gain unauthorized access to protected upstream resources. The plugin, under its default configuration, fails to strip or validate incoming identity-bearing HTTP headers presented by clients before forwarding requests to backend services, allowing an attacker to inject arbitrary identity claims. No public exploit code or confirmed active exploitation (CISA KEV) has been identified at time of analysis, but the network-exploitable nature and high impact on subsequent systems (SC:H/SI:H in CVSS 4.0) elevate this beyond its moderate overall score.
Incorrect authorization in the Apache APISIX authz-casdoor plugin allows a network-authenticated attacker to cross-authenticate using credentials from a different identity source, effectively bypassing the intended authorization boundary. Affected versions span 2.14.1 through 3.16.0, covering a wide deployment surface for this popular open-source API gateway. The CVSS 4.0 vector signals no direct impact to APISIX itself but high confidentiality and integrity impact on subsequent systems - the upstream APIs and services the gateway is meant to protect. No public exploit code or CISA KEV listing has been identified at time of analysis.
The wolf-rbac plugin in Apache APISIX 1.2.0 through 3.16.0 trusts client-controlled identity and IP data under its default configuration, allowing a low-privileged network attacker to inject spoofed identity information into application logs and manipulate IP-based access control rule evaluation. Rooted in CWE-348 (Use of Less-Trusted Source), the plugin accepts identity claims from a less-trusted input channel rather than authoritative internal state. No public exploit has been identified and the vulnerability is absent from the CISA KEV catalog; the vendor has released a fix in version 3.17.0.
Authentication bypass in Apache APISIX versions 2.2 through 3.16.0 allows remote attackers to circumvent authentication enforced by the jwt-auth plugin under certain configurations, granting unauthorized access to APIs that should require a valid JWT. The flaw stems from spoofable identity assertions (CWE-290) in the plugin's verification logic, and at time of analysis there is no public exploit identified, but the wide affected version range and gateway role make it operationally significant.
Identity header spoofing in Apache APISIX versions 2.12.0 through 3.16.0 allows a low-privileged network attacker to manipulate header values forwarded by the forward-auth plugin to upstream backend services. The flaw, rooted in improper input validation (CWE-20) of the forward-auth plugin's header handling, enables an attacker to impersonate other identities as seen by backend services that rely on APISIX to assert trustworthy identity context. No active exploitation is confirmed in CISA KEV and no public proof-of-concept has been identified, but the CVSS 4.0 subsequent-system impact metrics (SC:H/SI:H/SA:H) signal that backend services face high-severity consequences if exploited.
Authentication bypass in Apache APISIX 3.0.0 through 3.16.0 allows a network-accessible attacker holding valid credentials from an alternate CAS (Central Authentication Service) source to authenticate against routes protected by the cas-auth plugin, circumventing intended access controls on protected backend APIs. The flaw, rooted in insufficient credential-origin validation within the cas-auth plugin (CWE-287), enables a credential confusion attack across identity sources - potentially granting unauthorized access to downstream systems the gateway is meant to protect. No public exploit code or CISA KEV listing exists at time of analysis; Apache has released version 3.17.0 as the confirmed fix.
The cas-auth plugin in Apache APISIX 3.0.0-3.16.0 enables identity substitution via CSRF under its default configuration. An attacker who lures a victim to an attacker-controlled webpage can cause the victim's browser to complete a CAS authentication handshake as the attacker's identity within the APISIX gateway. Subsequent API gateway actions performed by the victim are then recorded and authorized under the attacker's account, creating audit trail corruption and potential authorization abuse. No public exploit code exists and this CVE is not listed in CISA KEV at time of analysis.
HMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hmac-auth signed token to reuse that token indefinitely, entirely bypassing expiry enforcement under certain plugin configurations. The CVSS 4.0 vector (6.3, AT:P) confirms exploitation depends on a specific hmac-auth configuration condition, limiting blanket exposure but posing significant risk to affected deployments where tokens can be intercepted. No public exploit code or CISA KEV listing has been identified at time of analysis; the fix is available in version 3.17.0 per the Apache security advisory.
Open redirect in Apache APISIX 3.0.0 through 3.16.0 enables unauthenticated remote attackers to manipulate specific HTTP client headers, causing victim users to be redirected to attacker-controlled sites with potential session token leakage. Exploitation requires active user interaction and specific attack conditions (CVSS 4.0 AT:P, UI:A), yielding a vendor-assigned score of 2.1 (Low) - limiting realistic exposure to targeted phishing scenarios rather than opportunistic mass exploitation. No public exploit code or CISA KEV listing exists at time of analysis; the Apache Software Foundation has released a vendor-confirmed fix in version 3.17.0.
Identity header spoofing in the Apache APISIX OPA (Open Policy Agent) plugin allows low-privileged network attackers to relay forged identity headers to upstream services, potentially assuming elevated privileges on those services. Versions 3.5.0 through 3.16.0 are affected, but only when the OPA plugin is deployed in a non-default configuration that fails to sanitize inbound identity headers before forwarding them. No public exploit or active exploitation has been identified; the CVSS 4.0 score of 2.3 reflects the constrained real-world impact driven by the specific configuration prerequisite and the limitation that only downstream upstream services are affected rather than APISIX itself.
Authentication bypass in Apache APISIX's jwe-decrypt plugin (versions 3.8.0 through 3.16.0) allows unauthenticated network attackers to circumvent JWE token integrity validation and reach services protected by the gateway. The root cause (CWE-354) is improper validation of the JWE authentication tag under the plugin's default configuration, meaning crafted or tampered tokens are accepted as legitimate. No public exploit code and no CISA KEV listing are identified at time of analysis; the vendor-released fix is Apache APISIX 3.17.0.
Open redirect in Apache APISIX's cas-auth plugin exposes users to phishing and credential theft when the plugin is used in its default configuration. Affected are all APISIX deployments running versions 3.0.0 through 3.16.0 with cas-auth enabled. An unauthenticated remote attacker can craft a malicious CAS authentication URL that redirects victims to an attacker-controlled site, enabling session hijacking or credential harvesting. No public exploit or KEV listing is recorded at time of analysis, and the CVSS 4.0 base score of 2.1 reflects the attacker's dependence on user interaction and the absence of direct system-level impact.
Identity header spoofing in Apache APISIX's openid-connect plugin (versions 2.3 through 3.16.0) enables low-privileged network attackers to bypass authentication controls and gain unauthorized access to protected upstream resources. The plugin, under its default configuration, fails to strip or validate incoming identity-bearing HTTP headers presented by clients before forwarding requests to backend services, allowing an attacker to inject arbitrary identity claims. No public exploit code or confirmed active exploitation (CISA KEV) has been identified at time of analysis, but the network-exploitable nature and high impact on subsequent systems (SC:H/SI:H in CVSS 4.0) elevate this beyond its moderate overall score.
Incorrect authorization in the Apache APISIX authz-casdoor plugin allows a network-authenticated attacker to cross-authenticate using credentials from a different identity source, effectively bypassing the intended authorization boundary. Affected versions span 2.14.1 through 3.16.0, covering a wide deployment surface for this popular open-source API gateway. The CVSS 4.0 vector signals no direct impact to APISIX itself but high confidentiality and integrity impact on subsequent systems - the upstream APIs and services the gateway is meant to protect. No public exploit code or CISA KEV listing has been identified at time of analysis.
The wolf-rbac plugin in Apache APISIX 1.2.0 through 3.16.0 trusts client-controlled identity and IP data under its default configuration, allowing a low-privileged network attacker to inject spoofed identity information into application logs and manipulate IP-based access control rule evaluation. Rooted in CWE-348 (Use of Less-Trusted Source), the plugin accepts identity claims from a less-trusted input channel rather than authoritative internal state. No public exploit has been identified and the vulnerability is absent from the CISA KEV catalog; the vendor has released a fix in version 3.17.0.
Authentication bypass in Apache APISIX versions 2.2 through 3.16.0 allows remote attackers to circumvent authentication enforced by the jwt-auth plugin under certain configurations, granting unauthorized access to APIs that should require a valid JWT. The flaw stems from spoofable identity assertions (CWE-290) in the plugin's verification logic, and at time of analysis there is no public exploit identified, but the wide affected version range and gateway role make it operationally significant.
Identity header spoofing in Apache APISIX versions 2.12.0 through 3.16.0 allows a low-privileged network attacker to manipulate header values forwarded by the forward-auth plugin to upstream backend services. The flaw, rooted in improper input validation (CWE-20) of the forward-auth plugin's header handling, enables an attacker to impersonate other identities as seen by backend services that rely on APISIX to assert trustworthy identity context. No active exploitation is confirmed in CISA KEV and no public proof-of-concept has been identified, but the CVSS 4.0 subsequent-system impact metrics (SC:H/SI:H/SA:H) signal that backend services face high-severity consequences if exploited.