Apache APISIX 1.2.03.16.0 Less Trusted Source Log Spoofing via wolfrbac
CVE-2026-44046 Published on June 19, 2026

Apache APISIX: wolf-rbac plugin Identity Spoofing
Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Vendor Advisory NVD

Weakness Type

Use of Less Trusted Source

The software has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

Products Associated with CVE-2026-44046

Want to know whenever a new CVE is published for Apache Apisix? stack.watch will email you.

Apache Apisix

Affected Versions

Apache Software Foundation Apache APISIX:

Version 1.2.0, <= 3.16.0 is affected.

Apache APISIX 1.2.03.16.0 Less Trusted Source Log Spoofing via wolfrbacCVE-2026-44046 Published on June 19, 2026

Weakness Type

Use of Less Trusted Source

Products Associated with CVE-2026-44046

Affected Versions

Apache APISIX 1.2.03.16.0 Less Trusted Source Log Spoofing via wolfrbac
CVE-2026-44046 Published on June 19, 2026