Apache Apisix

Improper Auth in Apache APISIX CAS-Auth Plugin (3.0.0-3.16.0)
CVE-2026-49872 - June 19, 2026

Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

authentification

CSRF in Apache APISIX cas-auth plugin v3.0.0-3.16.0
CVE-2026-49871 - June 19, 2026

Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim takes upstream are then attributed to attackers identity. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Session Riding

Apache APISIX 3.11-3.16 HMAC Auth Auth Bypass via Capture-Replay, Fixed 3.17
CVE-2026-47341 - June 19, 2026

Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Authentication Bypass by Capture-replay

Apache APISIX Open Redirect via URL redirection (3.0.0-3.16.0)
CVE-2026-48895 - June 19, 2026

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Open Redirect

Apache APISIX Auth Bypass via OPA Plugin ID Spoofing (v3.5.0-3.16.0)
CVE-2026-49231 - June 19, 2026

Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX: from 3.5.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Authentication Bypass by Spoofing

Apache APISIX 3.8.0-3.16.0 Auth Bypass via JWE Decrypt
CVE-2026-49230 - June 19, 2026

Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass.  This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Improper Validation of Integrity Check Value

Apache APISIX cas-auth Open Redirect (Untrusted Site) pre-3.17
CVE-2026-44915 - June 19, 2026

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Open Redirect

Apache APISIX OpenID-connect ID Spoofing Vuln 2.3-3.16.0
CVE-2026-44087 - June 19, 2026

Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. This issue affects Apache APISIX: from 2.3 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Insufficient Verification of Data Authenticity

APISIX authz-casdoor Plugin AuthZ Flaw (V2.14.1-3.16.0) CVE-2026-47339
CVE-2026-47339 - June 19, 2026

Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source. This issue affects Apache APISIX: from 2.14.1 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

AuthZ

Apache APISIX 1.2.03.16.0 Less Trusted Source Log Spoofing via wolfrbac
CVE-2026-44046 - June 19, 2026

Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Use of Less Trusted Source

Apache APISIX 3.16.0: JWTAuth Authentication Bypass via Spoofing
CVE-2026-39999 - June 19, 2026

Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which fixes the issue.

Authentication Bypass by Spoofing

APISIX 2.12-3.16 Improper Input Validation in forward-auth Plugin
CVE-2026-39998 - June 19, 2026

Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Improper Input Validation

Apache APISIX Cleartext Transmission in OIDC Plugin 0.7-3.15.0
CVE-2026-31923 7.5 - High - April 14, 2026

Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.

Cleartext Transmission of Sensitive Information

C2S: Apache APISIX Cleartext HTTP Data Transfer (Logs) < 3.16.0
CVE-2026-31924 5.3 - Medium - April 14, 2026

Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.

Cleartext Transmission of Sensitive Information

Apache APISIX Header Injection via forward-auth plugin 2.12.0-3.15.0
CVE-2026-31908 9.1 - Critical - April 14, 2026

Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.

Special Element Injection

Sensitive Data Exposure via basic-auth Logging in Apache APISIX <3.14
CVE-2025-62232 7.5 - High - October 31, 2025

Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access. It has been fixed in the following commit:  https://github.com/apache/apisix/pull/12629 Users are recommended to upgrade to version 3.14, which fixes this issue.

Insertion of Sensitive Information into Log File

APISIX java-plugin-runner 0.2-0.5 Local Permission Elevation
CVE-2025-27446 7.8 - High - July 06, 2025

Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0. Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue.

Incorrect Permission Assignment for Critical Resource

Apache APISIX openid-connect Plugin Introspection Vulnerability Before 3.12.0
CVE-2025-46647 5.3 - Medium - July 02, 2025

A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multiple issuers 3. Multiple issuers share the same private key and relies only on the issuer being different If affected by this vulnerability, it would allow an attacker with a valid account on one of the issuers to log into the other issuer. This issue affects Apache APISIX: until 3.12.0. Users are recommended to upgrade to version 3.12.0 or higher.

Authentication Bypass by Assumed-Immutable Data

Apache APISIX HTTP Request Smuggling via forward-auth (v3.8.03.9.0)
CVE-2024-32638 - May 02, 2024

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue.

HTTP Request Smuggling

HTTP/2 DoS via Stream Reset in nginx
CVE-2023-44487 7.5 - High - October 10, 2023

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Resource Exhaustion

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue
CVE-2022-29266 7.5 - High - April 20, 2022

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.

Generation of Error Message Containing Sensitive Information

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result
CVE-2022-25757 9.8 - Critical - March 28, 2022

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{"string_payload":"bad","string_payload":"good"}` can be used to hide the "bad" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions.

Improper Input Validation

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API
CVE-2022-24112 9.8 - Critical - February 11, 2022

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

Authentication Bypass by Spoofing

The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification
CVE-2021-43557 7.5 - High - November 22, 2021

The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains "^/internal/", a URI like `//internal/` can be used to bypass it. Some other plugins also have the same issue. And it may affect the developer's custom plugin.

Command Injection

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules
CVE-2020-13945 6.5 - Medium - December 07, 2020

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.