Apache The Apache Software Foundation
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Apache product.
RSS Feeds for Apache security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Apache products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Apache Sorted by Most Security Vulnerabilities since 2018
Recent Apache Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2.4.68 | 13 Vulnerabilities Fixed in Apache HTTP Server 2.4.68 | June 8, 2026 |
| 2.4.67 | 11 Vulnerabilities Fixed in Apache HTTP Server 2.4.67 | May 4, 2026 |
| 2.4.66 | 5 Vulnerabilities Fixed in Apache HTTP Server 2.4.66 | December 4, 2025 |
| 2.4.65 | Vulnerability Fixed in Apache HTTP Server 2.4.65 | July 23, 2025 |
| 2.4.64 | 8 Vulnerabilities Fixed in Apache HTTP Server 2.4.64 | July 10, 2025 |
| 2.4.62 | 2 Vulnerabilities Fixed in Apache HTTP Server 2.4.62 | July 17, 2024 |
| 2.4.61 | Vulnerability Fixed in Apache HTTP Server 2.4.61 | July 16, 2024 |
| 2.4.60 | 8 Vulnerabilities Fixed in Apache HTTP Server 2.4.60 | July 15, 2024 |
| 2.4.59 | 3 Vulnerabilities Fixed in Apache HTTP Server 2.4.59 | April 4, 2024 |
| 2.4.58 | 4 Vulnerabilities Fixed in Apache HTTP Server 2.4.58 | October 19, 2023 |
Known Exploited Apache Vulnerabilities
The following Apache vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Apache ActiveMQ Improper Input Validation Vulnerability |
Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection. CVE-2026-34197 Exploit Probability: 87.0% |
April 16, 2026 |
| Apache HTTP Server Improper Escaping of Output Vulnerability |
Apache HTTP Server contains an improper escaping of output vulnerability in mod_rewrite that allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. CVE-2024-38475 Exploit Probability: 100.0% |
May 1, 2025 |
| Apache Tomcat Path Equivalence Vulnerability |
Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request. CVE-2025-24813 Exploit Probability: 99.9% |
April 1, 2025 |
| Apache OFBiz Forced Browsing Vulnerability |
Apache OFBiz contains a forced browsing vulnerability that allows a remote attacker to obtain unauthorized access. CVE-2024-45195 Exploit Probability: 100.0% |
February 4, 2025 |
| Apache HugeGraph-Server Improper Access Control Vulnerability |
Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code. CVE-2024-27348 Exploit Probability: 99.2% |
September 18, 2024 |
| Apache OFBiz Incorrect Authorization Vulnerability |
Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker. CVE-2024-38856 Exploit Probability: 99.4% |
August 27, 2024 |
| Apache OFBiz Path Traversal Vulnerability |
Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution. CVE-2024-32113 Exploit Probability: 99.4% |
August 7, 2024 |
| Apache Flink Improper Access Control Vulnerability |
Apache Flink contains an improper access control vulnerability that allows an attacker to read any file on the local filesystem of the JobManager through its REST interface. CVE-2020-17519 Exploit Probability: 97.9% |
May 23, 2024 |
| Apache Superset Insecure Default Initialization of Resource Vulnerability |
Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions. CVE-2023-27524 Exploit Probability: 97.4% |
January 8, 2024 |
| Apache ActiveMQ Deserialization of Untrusted Data Vulnerability |
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. CVE-2023-46604 Exploit Probability: 99.7% |
November 2, 2023 |
| Apache RocketMQ Command Execution Vulnerability |
Several components of Apache RocketMQ, including NameServer, Broker, and Controller, are exposed to the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as or achieve the same effect by forging the RocketMQ protocol content. CVE-2023-33246 Exploit Probability: 96.6% |
September 6, 2023 |
| Apache Tomcat Remote Code Execution Vulnerability |
Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types. CVE-2016-8735 Exploit Probability: 90.3% |
May 12, 2023 |
| Apache Log4j2 Deserialization of Untrusted Data Vulnerability |
Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations. CVE-2021-45046 Exploit Probability: 100.0% |
May 1, 2023 |
| Apache Spark Command Injection Vulnerability |
Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled. CVE-2022-33891 Exploit Probability: 93.0% |
March 7, 2023 |
| Apache APISIX Authentication Bypass Vulnerability |
Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution. CVE-2022-24112 Exploit Probability: 96.2% |
August 25, 2022 |
| Apache CouchDB Insecure Default Initialization of Resource Vulnerability |
Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges. CVE-2022-24706 Exploit Probability: 92.3% |
August 25, 2022 |
| Apache Kylin OS Command Injection Vulnerability |
Apache Kylin contains an OS command injection vulnerability which could permit an attacker to perform remote code execution. CVE-2020-1956 Exploit Probability: 98.0% |
March 25, 2022 |
| Apache Struts Improper Input Validation Vulnerability |
Apache Struts allows remote attackers to execute arbitrary Object-Graph Navigation Language (OGNL) expressions. CVE-2013-2251 Exploit Probability: 100.0% |
March 25, 2022 |
| Apache Tomcat on Windows Remote Code Execution Vulnerability |
When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. CVE-2017-12615 Exploit Probability: 99.6% |
March 25, 2022 |
| Apache Tomcat Remote Code Execution Vulnerability |
When running Apache Tomcat, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. CVE-2017-12617 Exploit Probability: 100.0% |
March 25, 2022 |
Of the known exploited vulnerabilities above, 20 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.
Top 10 Riskiest Apache Vulnerabilities
Based on the current exploit probability, these Apache vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.
| Rank | CVE | EPSS | Vulnerability |
|---|---|---|---|
| 1 | CVE-2021-44228 | 100.0% | Apache Log4j2 Remote Code Execution Vulnerability |
| 2 | CVE-2017-5638 | 100.0% | Apache Struts Jakarta Multipart parser exception handling vulnerability |
| 3 | CVE-2021-40438 | 100.0% | Apache HTTP Server-Side Request Forgery (SSRF) |
| 4 | CVE-2013-2251 | 100.0% | Apache Struts Improper Input Validation Vulnerability |
| 5 | CVE-2018-11776 | 100.0% | Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 Remote Code Execution Vulnerability |
| 6 | CVE-2021-41773 | 100.0% | Apache HTTP Server Path Traversal Vulnerability |
| 7 | CVE-2017-12617 | 100.0% | Apache Tomcat Remote Code Execution Vulnerability |
| 8 | CVE-2024-45195 | 100.0% | Apache OFBiz Forced Browsing Vulnerability |
| 9 | CVE-2021-45046 | 100.0% | Apache Log4j2 Deserialization of Untrusted Data Vulnerability |
| 10 | CVE-2021-42013 | 100.0% | Apache HTTP Server 2.4.49 and 2.4.50 Path Traversal |
By the Year
In 2026 there have been 344 vulnerabilities in Apache with an average score of 7.2 out of ten. Last year, in 2025 Apache had 229 security vulnerabilities published. That is, 115 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.07
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 344 | 7.22 |
| 2025 | 229 | 7.29 |
| 2024 | 275 | 7.45 |
| 2023 | 274 | 7.47 |
| 2022 | 228 | 7.63 |
| 2021 | 212 | 7.61 |
| 2020 | 160 | 7.56 |
| 2019 | 163 | 7.37 |
| 2018 | 155 | 7.24 |
It may take a day or so for new Apache vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-64152 | Jun 26, 2026 |
IoTDB Path Traversal CVE-2025-64152 1.0.0-2.0.7 VULN (fixed 1.3.6/2.0.7)Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.6, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.6 and 2.0.7, which fixes the issue. |
Iotdb
|
| CVE-2025-55017 | Jun 26, 2026 |
Apache IoTDB 2.0.02.0.5/1.0.01.3.5 Path Traversal in Restricted DirectoryImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 2.0.0 before 2.0.6, from 1.0.0 before 1.3.6. Users are recommended to upgrade to version 1.3.6 and 2.0.6, which fixes the issue. |
Iotdb
|
| CVE-2026-57915 | Jun 26, 2026 |
Apache Kerby Kerberos Pre-Auth Bypass, Pre v2.1.2 (PA-DATA)It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue. |
|
| CVE-2026-57914 | Jun 26, 2026 |
StackOverflow DoS via Nested ASN1 in Apache Kerby (<2.1.2)By sending a deeply nested ASN1 structure to a Apache Kerby client or service, it's possible to trigger a StackOverFlow Exception which can lead to denial of service issues. Users are recommended to upgrade to version 2.1.2, which fixes this issue. |
|
| CVE-2026-49486 | Jun 26, 2026 |
Apache Airflow FTP Provider FTPSHook Data Channel Unencrypted (<=3.15.1)The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel. |
AirFlow
|
| CVE-2026-56091 | Jun 25, 2026 |
Apache Shiro Bypass via shiro-guice in web (2.x, 3.0.0-alpha) upgrade 3.0.0When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://www.cve.org/CVERecord?id=CVE-2020-1957 https://www.cve.org/CVERecord , except that it affects the `shiro-guice` module instead of the `shiro-spring` module. This issue affects all Apache Shiro versions through 2.x, and 3.0.0-alpha-1 only when using `shiro-guice` module in a web servlet context. Upgrade to version 3.0.0 or later, which fixes the issue. |
Shiro
|
| CVE-2026-56130 | Jun 25, 2026 |
Apache Shiro RememberMe Cookie Lifetime Bypass v1.2.43.0.0-alpha-1"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled. Upgrade to version 3.0.0 or later, which fixes the issue. |
Shiro
|
| CVE-2026-41566 | Jun 25, 2026 |
Apache Kvrocks <2.16.0 Improper Privilege EscalationImproper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: 2.8.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue. |
Kvrocks
|
| CVE-2026-45188 | Jun 25, 2026 |
Apache Kvrocks 1.0-2.15: Path Traversal Vulnerability (CVE-2026-45188)Relative Path Traversal vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 1.0.0 through 2.15.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue. |
Kvrocks
|
| CVE-2026-46751 | Jun 25, 2026 |
Apache Kvrocks 2.2.0-2.15.0 Remote Code Execution VulnerabilityA vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 2.2.0 through 2.15.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue. |
Kvrocks
|
| CVE-2026-46752 | Jun 25, 2026 |
Redis Lua HEAP overflow in cjson lib (Kvrocks 2.0.42.15.0)Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 2.0.4 through 2.15.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue. |
Kvrocks
|
| CVE-2026-54226 | Jun 25, 2026 |
Apache Kvrocks 2.6.0-2.15.0 Vulnerability Fixed in 2.16.0A vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 2.6.0 through 2.15.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue. |
Kvrocks
|
| CVE-2025-62198 | Jun 22, 2026 |
Apache Atlas XSS Authenticated @ <=2.4.0, Fixed in 2.5.0An authenticated user can perform XSS. This issue affects Apache Atlas versions 2.4.0 and earlier. Users are recommended to upgrade to version 2.5.0, which fixes the issue. |
Atlas
|
| CVE-2026-44914 | Jun 22, 2026 |
Apache NiFi 1.12.0-2.9.0: Missing Auth on Restricted Process Group ReplaceApache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required, but framework authorization did not check restricted status when handling requests to replace Process Groups. The missing authorization permits a user with general write access to add components with Restricted status. Apache NiFi installations that do not implement specific authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation, which removes the implementation of Restricted status authorization from the framework. |
NiFi
|
| CVE-2026-44911 | Jun 22, 2026 |
Apache NiFi 1.15.0-2.9.0 Authorization Bypass of Config Verification APIAuthorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read access to submit proposed configuration properties. The proposed properties override current configuration, enabling users with read access to invoke predefined verification methods with alternative settings. Apache NiFi installations that do not implement different levels of authorization for viewing and modifying component configuration are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, requiring write access to submit configuration verification requests. |
NiFi
|
| CVE-2026-44913 | Jun 22, 2026 |
Apache NiFi CaptureChangeMySQL SQLi (v1.2.0-2.9.0)Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping. |
NiFi
|
| CVE-2026-54665 | Jun 22, 2026 |
Apache NiFi 0.0.1-2.9.0 Proxy Host Header Validation VulnerabilityApache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configurable application property to restrict values provided in the HTTP Host header, but did not apply the validation to alternative Proxy and Forwarded headers. The absence of proxy host header validation allowed a client to instruct Apache NiFi web services to construct invalid qualified URLs for redirection or data references. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which implements validation for the X-ProxyHost and X-Forwarded-Host HTTP request headers based on the nifi.web.proxy.host property. Enabling header validation requires configuring the application with HTTPS. Reverse proxy servers in front of Apache NiFi are responsible for filtering input request headers and providing allowed values to the application. |
NiFi
|
| CVE-2025-66336 | Jun 22, 2026 |
Apache Doris <=0.6.0 SQL Injection via Metadata Query (MCP Server)Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled database name is directly interpolated into a SQL query, and the query is executed without passing the caller's authorization context. This may allow an authenticated attacker, or an anonymous attacker if authentication is disabled, to bypass SQL security validation and access metadata outside the intended database scope. Affected users are recommended to upgrade to Doris version 0.6.1 or later, which fixes the issue. |
|
| CVE-2026-49872 | Jun 19, 2026 |
Improper Auth in Apache APISIX CAS-Auth Plugin (3.0.0-3.16.0)Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. |
Apisix
|
| CVE-2026-49871 | Jun 19, 2026 |
CSRF in Apache APISIX cas-auth plugin v3.0.0-3.16.0Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim takes upstream are then attributed to attackers identity. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. |
Apisix
|
| CVE-2026-47341 | Jun 19, 2026 |
Apache APISIX 3.11-3.16 HMAC Auth Auth Bypass via Capture-Replay, Fixed 3.17Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. |
Apisix
|
| CVE-2026-48895 | Jun 19, 2026 |
Apache APISIX Open Redirect via URL redirection (3.0.0-3.16.0)URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. |
Apisix
|
| CVE-2026-49231 | Jun 19, 2026 |
Apache APISIX Auth Bypass via OPA Plugin ID Spoofing (v3.5.0-3.16.0)Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX: from 3.5.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. |
Apisix
|
| CVE-2026-49230 | Jun 19, 2026 |
Apache APISIX 3.8.0-3.16.0 Auth Bypass via JWE DecryptImproper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass. This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. |
Apisix
|
| CVE-2026-44915 | Jun 19, 2026 |
Apache APISIX cas-auth Open Redirect (Untrusted Site) pre-3.17URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. |
Apisix
|
| CVE-2026-44087 | Jun 19, 2026 |
Apache APISIX OpenID-connect ID Spoofing Vuln 2.3-3.16.0Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. This issue affects Apache APISIX: from 2.3 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. |
Apisix
|
| CVE-2026-47339 | Jun 19, 2026 |
APISIX authz-casdoor Plugin AuthZ Flaw (V2.14.1-3.16.0) CVE-2026-47339Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source. This issue affects Apache APISIX: from 2.14.1 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. |
Apisix
|
| CVE-2026-44046 | Jun 19, 2026 |
Apache APISIX 1.2.03.16.0 Less Trusted Source Log Spoofing via wolfrbacUse of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. |
Apisix
|
| CVE-2026-39999 | Jun 19, 2026 |
Apache APISIX 3.16.0: JWTAuth Authentication Bypass via SpoofingAuthentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which fixes the issue. |
Apisix
|
| CVE-2026-39998 | Jun 19, 2026 |
APISIX 2.12-3.16 Improper Input Validation in forward-auth PluginImproper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. |
Apisix
|
| CVE-2026-49268 | Jun 17, 2026 |
LDAP DN Injection in Apache Shiro 2.2.0 DefaultLdapRealmA remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users. This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue. |
Shiro
|
| CVE-2026-47340 | Jun 17, 2026 |
Authenticated Bypass ACL on Alert Instances in Apache DolphinScheduler <3.4.2Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. |
DolphinScheduler
|
| CVE-2026-32967 | Jun 17, 2026 |
Apache DolphinScheduler 3.4.2: Incorr Auth via /v2 exp APIIncorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. |
DolphinScheduler
|
| CVE-2026-42357 | Jun 17, 2026 |
Apache DolphinScheduler <3.4.2 Improper Auth Grants Unauthorized Workflow AccessIncorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue. |
DolphinScheduler
|
| CVE-2026-41280 | Jun 17, 2026 |
Apache DolphinScheduler <=3.4.1: Unauthorized Deletion of Task DefinitionsIncorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue. |
DolphinScheduler
|
| CVE-2026-32966 | Jun 17, 2026 |
Apache DolphinScheduler DataSource API Auth Bypass Meta Disclosure <3.4.2DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. |
DolphinScheduler
|
| CVE-2026-50203 | Jun 17, 2026 |
Apache Airflow: SFTP Provider Path Traversal vulnerability (before 5.8.1)A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later. |
AirFlow
|
| CVE-2026-50645 | Jun 12, 2026 |
Apache CXF DoS via unlimited attachment headers (before 4.2.2/4.1.7)There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue by imposing a maximum default of 500 attachments per message. |
CXF
|
| CVE-2026-50634 | Jun 12, 2026 |
Apache CXF <4.2.2 (JwsJsonContainerRequestFilter) Signature BypassA vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. This can bypass the application's assumption that accepted `Content-Type` or protected HTTP-header metadata came from a verified signature entry, and may steer downstream JAX-RS entity parsing or signed-header consistency checks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue. |
CXF
|
| CVE-2026-50633 | Jun 12, 2026 |
Apache CXF JNDI Injection in JCA Module (Pre-4.2.2/4.1.7)A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. |
CXF
|
| CVE-2026-50632 | Jun 12, 2026 |
Apache CXF < 4.2.2 RCE via Untrusted JMS ConfigA further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. |
CXF
|
| CVE-2026-50631 | Jun 12, 2026 |
Apache OAuth (AbstractOAuthDataProvider) Race Condition, fixed in 4.2.2/4.1.7A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. |
CXF
|
| CVE-2026-50630 | Jun 12, 2026 |
Apache Oltu 4.x CRLF Injection via AuthUtils before v4.2.2A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inject arbitrary HTTP headers or split the HTTP response entirely. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. |
CXF
|
| CVE-2026-50629 | Jun 12, 2026 |
Apache Syncope OAuth2 Log Injection via clientId (v4.2.2)The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. |
CXF
|
| CVE-2026-50628 | Jun 12, 2026 |
Apache Syncope 4.2.2/4.1.7 OAuthRequestFilter IP Check Logic ErrorA logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. |
CXF
|
| CVE-2026-50627 | Jun 12, 2026 |
Apache CXF <4.2.2 fails to validate JWT "aud" claim (Token Replay Risk)The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. |
CXF
|
| CVE-2026-49875 | Jun 12, 2026 |
Apache CXF <4.2.2 OOB External Entity via SAXParserFactoryApache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue. |
CXF
|
| CVE-2026-50623 | Jun 12, 2026 |
Auth Bypass via Missing Throw in Apache CXF OAuth2 Introspection <4.2.2An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service. Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue. |
CXF
|
| CVE-2026-47342 | Jun 10, 2026 |
Apache OFBiz <24.09.07 Privilege Escalation (Auth)A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue. |
OFBiz
|
| CVE-2026-50223 | Jun 10, 2026 |
Apache OFBiz before 24.09.07: Code Injection VulnerabilityImproper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection attacks that could lead to Remote Code Execution. This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue. |
OFBiz
|