Unrated severityNVD Advisory· Published Jul 6, 2025· Updated Feb 26, 2026

Apache APISIX Java Plugin Runner: Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges

CVE-2025-27446

Description

Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner).

Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0.

Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue.

Affected products

Apache/APISIX java-plugin-runnerllm-create
Range: >=0.2.0, <=0.5.0
Apache Software Foundation/Apache APISIX Java Plugin Runnerv5
Range: 0.2.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.apache.org/thread/qwxnxolt0j5nvjfpr0mlz6h7nrtvyzngmitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000