Bitnami package
apisix
pkg:bitnami/apisix
Vulnerabilities (25)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-49872 | — | >= 3.0.0, < 3.17.0 | 3.17.0 | Jun 19, 2026 | Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgr | ||
| CVE-2026-49871 | — | >= 3.0.0, < 3.17.0 | 3.17.0 | Jun 19, 2026 | Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. | ||
| CVE-2026-47341 | — | >= 3.11.0, <= 3.17.0 | — | Jun 19, 2026 | Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to v | ||
| CVE-2026-48895 | — | >= 3.0.0, < 3.17.0 | 3.17.0 | Jun 19, 2026 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are re | ||
| CVE-2026-49231 | — | >= 3.5.0, <= 3.17.0 | — | Jun 19, 2026 | Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue aff | ||
| CVE-2026-49230 | — | >= 3.8.0, < 3.17.0 | 3.17.0 | Jun 19, 2026 | Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass. This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17 | ||
| CVE-2026-44915 | — | >= 3.0.0, < 3.17.0 | 3.17.0 | Jun 19, 2026 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgr | ||
| CVE-2026-44087 | — | >= 2.3.0, < 3.17.0 | 3.17.0 | Jun 19, 2026 | Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. | ||
| CVE-2026-47339 | — | >= 2.14.1, < 3.17.0 | 3.17.0 | Jun 19, 2026 | Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source. This issue affects Apache APISIX: from 2.14.1 through 3.16.0. Users are re | ||
| CVE-2026-44046 | — | >= 1.2.0, < 3.17.0 | 3.17.0 | Jun 19, 2026 | Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from | ||
| CVE-2026-39999 | — | >= 2.2.0, < 3.17.0 | 3.17.0 | Jun 19, 2026 | Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to versio | ||
| CVE-2026-39998 | — | >= 2.12.0, < 3.17.0 | 3.17.0 | Jun 19, 2026 | Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, | ||
| CVE-2026-31924 | Med | 5.3 | >= 2.99.0, < 3.16.0 | 3.16.0 | Apr 14, 2026 | Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue. | |
| CVE-2026-31923 | Hig | 7.5 | >= 0.7.0, < 3.16.0 | 3.16.0 | Apr 14, 2026 | Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0. Users are recommended to upgrade t | |
| CVE-2026-31908 | Cri | 9.1 | >= 2.12.0, < 3.16.0 | 3.16.0 | Apr 14, 2026 | Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which | |
| CVE-2025-62232 | — | >= 1.0.0, < 3.14.0 | 3.14.0 | Oct 31, 2025 | Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access. It has been fixed in the following com | ||
| CVE-2025-27446 | — | >= 0.2.0, < 3.9.0 | 3.9.0 | Jul 6, 2025 | Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 throu | ||
| CVE-2025-46647 | — | < 3.12.0 | 3.12.0 | Jul 2, 2025 | A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multip | ||
| CVE-2024-32638 | — | >= 3.8.0, < 3.9.1 | 3.9.1 | May 2, 2024 | Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue. | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 3.6.1 | 3.6.1 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
- CVE-2026-49872Jun 19, 2026affected >= 3.0.0, < 3.17.0fixed 3.17.0
Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgr
- CVE-2026-49871Jun 19, 2026affected >= 3.0.0, < 3.17.0fixed 3.17.0
Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity.
- CVE-2026-47341Jun 19, 2026affected >= 3.11.0, <= 3.17.0
Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to v
- CVE-2026-48895Jun 19, 2026affected >= 3.0.0, < 3.17.0fixed 3.17.0
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are re
- CVE-2026-49231Jun 19, 2026affected >= 3.5.0, <= 3.17.0
Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue aff
- CVE-2026-49230Jun 19, 2026affected >= 3.8.0, < 3.17.0fixed 3.17.0
Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass. This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17
- CVE-2026-44915Jun 19, 2026affected >= 3.0.0, < 3.17.0fixed 3.17.0
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgr
- CVE-2026-44087Jun 19, 2026affected >= 2.3.0, < 3.17.0fixed 3.17.0
Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources.
- CVE-2026-47339Jun 19, 2026affected >= 2.14.1, < 3.17.0fixed 3.17.0
Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source. This issue affects Apache APISIX: from 2.14.1 through 3.16.0. Users are re
- CVE-2026-44046Jun 19, 2026affected >= 1.2.0, < 3.17.0fixed 3.17.0
Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from
- CVE-2026-39999Jun 19, 2026affected >= 2.2.0, < 3.17.0fixed 3.17.0
Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to versio
- CVE-2026-39998Jun 19, 2026affected >= 2.12.0, < 3.17.0fixed 3.17.0
Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0,
- affected >= 2.99.0, < 3.16.0fixed 3.16.0
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.
- affected >= 0.7.0, < 3.16.0fixed 3.16.0
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0. Users are recommended to upgrade t
- affected >= 2.12.0, < 3.16.0fixed 3.16.0
Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which
- CVE-2025-62232Oct 31, 2025affected >= 1.0.0, < 3.14.0fixed 3.14.0
Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access. It has been fixed in the following com
- CVE-2025-27446Jul 6, 2025affected >= 0.2.0, < 3.9.0fixed 3.9.0
Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 throu
- CVE-2025-46647Jul 2, 2025affected < 3.12.0fixed 3.12.0
A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multip
- CVE-2024-32638May 2, 2024affected >= 3.8.0, < 3.9.1fixed 3.9.1
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue.
- affected < 3.6.1fixed 3.6.1
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Page 1 of 2