VYPR

Bitnami package

apisix

pkg:bitnami/apisix

Vulnerabilities (25)

  • CVE-2026-49872Jun 19, 2026
    affected >= 3.0.0, < 3.17.0fixed 3.17.0

    Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgr

  • CVE-2026-49871Jun 19, 2026
    affected >= 3.0.0, < 3.17.0fixed 3.17.0

    Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity.

  • CVE-2026-47341Jun 19, 2026
    affected >= 3.11.0, <= 3.17.0

    Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to v

  • CVE-2026-48895Jun 19, 2026
    affected >= 3.0.0, < 3.17.0fixed 3.17.0

    URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are re

  • CVE-2026-49231Jun 19, 2026
    affected >= 3.5.0, <= 3.17.0

    Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue aff

  • CVE-2026-49230Jun 19, 2026
    affected >= 3.8.0, < 3.17.0fixed 3.17.0

    Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass.  This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17

  • CVE-2026-44915Jun 19, 2026
    affected >= 3.0.0, < 3.17.0fixed 3.17.0

    URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgr

  • CVE-2026-44087Jun 19, 2026
    affected >= 2.3.0, < 3.17.0fixed 3.17.0

    Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources.

  • CVE-2026-47339Jun 19, 2026
    affected >= 2.14.1, < 3.17.0fixed 3.17.0

    Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source. This issue affects Apache APISIX: from 2.14.1 through 3.16.0. Users are re

  • CVE-2026-44046Jun 19, 2026
    affected >= 1.2.0, < 3.17.0fixed 3.17.0

    Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from

  • CVE-2026-39999Jun 19, 2026
    affected >= 2.2.0, < 3.17.0fixed 3.17.0

    Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to versio

  • CVE-2026-39998Jun 19, 2026
    affected >= 2.12.0, < 3.17.0fixed 3.17.0

    Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0,

  • CVE-2026-31924MedApr 14, 2026
    affected >= 2.99.0, < 3.16.0fixed 3.16.0

    Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.

  • CVE-2026-31923HigApr 14, 2026
    affected >= 0.7.0, < 3.16.0fixed 3.16.0

    Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0. Users are recommended to upgrade t

  • CVE-2026-31908CriApr 14, 2026
    affected >= 2.12.0, < 3.16.0fixed 3.16.0

    Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which

  • CVE-2025-62232Oct 31, 2025
    affected >= 1.0.0, < 3.14.0fixed 3.14.0

    Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access. It has been fixed in the following com

  • CVE-2025-27446Jul 6, 2025
    affected >= 0.2.0, < 3.9.0fixed 3.9.0

    Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 throu

  • CVE-2025-46647Jul 2, 2025
    affected < 3.12.0fixed 3.12.0

    A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multip

  • CVE-2024-32638May 2, 2024
    affected >= 3.8.0, < 3.9.1fixed 3.9.1

    Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue.

  • CVE-2023-44487HigKEVOct 10, 2023
    affected < 3.6.1fixed 3.6.1

    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Page 1 of 2