5.8

CVE-2026-44046

Apache APISIX: wolf-rbac plugin Identity Spoofing

Use of Less Trusted Source vulnerability in Apache APISIX.

Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules.
This issue affects Apache APISIX: from 1.2.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheApisix Version >= 1.2 < 3.17.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.31% 0.23
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.8 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
security@apache.org 2.3 0 0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-348 Use of Less Trusted Source

The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

https://lists.apache.org/thread/xkshmps51b24yw0qckl5h5ddyv0x6qf9
Vendor Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2026/06/19/6
Third Party Advisory