Lucene search
K

274 matches found

Nuclei
Nuclei
added 6 hours ago70 views

Apache APISIX - Insufficiently Protected Credentials

Apache APISIX 1.2, 1.3, 1.4, and 1.5 is susceptible to insufficiently protected credentials. An attacker can enable the Admin API and delete the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. id: CVE-2020-13945 info: name: Apache...

6.5CVSS6.9AI score0.72976EPSS
Exploits5References5
Nuclei
Nuclei
added yesterday94 views

Apache APISIX - Remote Code Execution

A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different...

9.8CVSS7.7AI score0.96182EPSS
Exploits16References5
Nuclei
Nuclei
added last week34 views

Apache APISIX Dashboard <2.10.1 - API Unauthorized Access

In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework droplet on the basis of framework gin.' While all APIs and authentication middleware are developed based on framework droplet, some API directly use the interface of framework gin thus bypassing...

9.8CVSS7.2AI score0.85943EPSS
Exploits5References5
OSV
OSV
added 2026/06/23 2:37 p.m.4 views

BIT-APISIX-2026-49872 Apache APISIX: Improper authentication in cas-auth plugin

Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version...

8.1CVSS5.9AI score0.0032EPSS
Exploits0References3
OSV
OSV
added 2026/06/23 2:37 p.m.6 views

BIT-APISIX-2026-49871 Apache APISIX: cas-auth login CSRF / session injection issue

Cross-Site Request Forgery CSRF vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim...

9.3CVSS5.9AI score0.00261EPSS
Exploits0References3
OSV
OSV
added 2026/06/23 2:37 p.m.4 views

BIT-APISIX-2026-49231 Apache APISIX: Identity spoofing issue in APISIX opa plugin

Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX:...

5.4CVSS5.9AI score0.00359EPSS
Exploits0References3
OSV
OSV
added 2026/06/23 2:37 p.m.6 views

BIT-APISIX-2026-49230 Apache APISIX: Authentication bypass in jwe-decrypt

Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass. This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the...

9.1CVSS5.8AI score0.00224EPSS
Exploits1References3
OSV
OSV
added 2026/06/23 2:37 p.m.13 views

BIT-APISIX-2026-48895 Apache APISIX: Cas-auth Host header influence on CAS service URL

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade t...

7.2CVSS5.8AI score0.00409EPSS
Exploits0References3
OSV
OSV
added 2026/06/23 2:37 p.m.4 views

BIT-APISIX-2026-47341 Apache APISIX: Session replay issue in hmac-auth

Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, whic...

6.5CVSS5.8AI score0.0043EPSS
Exploits0References3
OSV
OSV
added 2026/06/23 2:37 p.m.15 views

BIT-APISIX-2026-47339 Apache APISIX: authz-casdoor incorrect session sharing

Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source. This issue affects Apache APISIX: from 2.14.1 through 3.16.0. Users are recommended to upgrad...

8.1CVSS5.9AI score0.00285EPSS
Exploits0References3
OSV
OSV
added 2026/06/23 2:37 p.m.16 views

BIT-APISIX-2026-44915 Apache APISIX: Cas-auth plugin open redirect via unsanitized cookie value

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0,...

6.1CVSS5.8AI score0.004EPSS
Exploits0References3
OSV
OSV
added 2026/06/23 2:37 p.m.4 views

BIT-APISIX-2026-44087 Apache APISIX: Openid-connect plugin Identity Header Spoofing

Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. This issue affect...

9.1CVSS5.8AI score0.00213EPSS
Exploits0References3
OSV
OSV
added 2026/06/23 2:37 p.m.5 views

BIT-APISIX-2026-44046 Apache APISIX: wolf-rbac plugin Identity Spoofing

Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through...

5.8CVSS5.8AI score0.00314EPSS
Exploits0References3
OSV
OSV
added 2026/06/23 2:37 p.m.25 views

BIT-APISIX-2026-39999 Apache APISIX: JWT Algorithm Confusion allows authentication bypass

Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which...

9.1CVSS5.9AI score0.00386EPSS
Exploits0References3
OSV
OSV
added 2026/06/23 2:37 p.m.4 views

BIT-APISIX-2026-39998 Apache APISIX: Identity Injection via forward-auth Plugin Missing Header Cleanup

Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the...

8.8CVSS5.8AI score0.00403EPSS
Exploits0References3
NVD
NVD
added 2026/06/19 2:16 p.m.11 views

CVE-2026-49872

Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version...

8.1CVSS0.0032EPSS
Exploits0References2
NVD
NVD
added 2026/06/19 2:16 p.m.10 views

CVE-2026-49231

Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX:...

5.4CVSS0.00359EPSS
Exploits0References2
NVD
NVD
added 2026/06/19 2:16 p.m.14 views

CVE-2026-48895

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade t...

7.2CVSS0.00409EPSS
Exploits0References2
NVD
NVD
added 2026/06/19 2:16 p.m.11 views

CVE-2026-49230

Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass. This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the...

9.1CVSS0.00224EPSS
Exploits1References2
NVD
NVD
added 2026/06/19 2:16 p.m.11 views

CVE-2026-49871

Cross-Site Request Forgery CSRF vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim...

9.3CVSS0.00261EPSS
Exploits0References2
Rows per page
Query Builder