CVE-2026-49872
- EPSS 0.33%
- Veröffentlicht 19.06.2026 13:19:34
- Zuletzt bearbeitet 23.06.2026 15:18:52
Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. ...
CVE-2026-49871
- EPSS 0.23%
- Veröffentlicht 19.06.2026 13:18:36
- Zuletzt bearbeitet 23.06.2026 15:20:01
Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenti...
CVE-2026-47341
- EPSS 0.41%
- Veröffentlicht 19.06.2026 13:17:23
- Zuletzt bearbeitet 23.06.2026 15:16:35
Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users a...
CVE-2026-48895
- EPSS 0.3%
- Veröffentlicht 19.06.2026 13:16:29
- Zuletzt bearbeitet 23.06.2026 15:17:01
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0...
CVE-2026-49231
- EPSS 0.36%
- Veröffentlicht 19.06.2026 13:14:52
- Zuletzt bearbeitet 23.06.2026 15:18:30
Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the up...
CVE-2026-49230
- EPSS 0.23%
- Veröffentlicht 19.06.2026 13:13:38
- Zuletzt bearbeitet 23.06.2026 15:17:42
Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass. This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommen...
CVE-2026-44915
- EPSS 0.3%
- Veröffentlicht 19.06.2026 13:12:33
- Zuletzt bearbeitet 23.06.2026 15:11:29
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. ...
CVE-2026-44087
- EPSS 0.17%
- Veröffentlicht 19.06.2026 13:11:17
- Zuletzt bearbeitet 23.06.2026 15:11:13
Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized a...
CVE-2026-47339
- EPSS 0.24%
- Veröffentlicht 19.06.2026 13:10:04
- Zuletzt bearbeitet 23.06.2026 15:11:58
Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source. This issue affects Apache APISIX: from 2.14.1...
CVE-2026-44046
- EPSS 0.21%
- Veröffentlicht 19.06.2026 13:09:01
- Zuletzt bearbeitet 23.06.2026 15:10:22
Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issu...