Apache APISIX Auth Bypass via OPA Plugin ID Spoofing (v3.5.0-3.16.0)
CVE-2026-49231 Published on June 19, 2026

Apache APISIX: Identity spoofing issue in APISIX opa plugin
Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX: from 3.5.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Vendor Advisory NVD

Weakness Type

Authentication Bypass by Spoofing

This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.

Products Associated with CVE-2026-49231

Want to know whenever a new CVE is published for Apache Apisix? stack.watch will email you.

Apache Apisix

Affected Versions

Apache Software Foundation Apache APISIX:

Version 3.5.0, <= 3.16.0 is affected.

Apache APISIX Auth Bypass via OPA Plugin ID Spoofing (v3.5.0-3.16.0)CVE-2026-49231 Published on June 19, 2026

Weakness Type

Authentication Bypass by Spoofing

Products Associated with CVE-2026-49231

Affected Versions

Apache APISIX Auth Bypass via OPA Plugin ID Spoofing (v3.5.0-3.16.0)
CVE-2026-49231 Published on June 19, 2026