CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 4 days ago•7 views

CVE-2026-49872

Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version...

8.1CVSS

NVD•added 4 days ago•7 views

CVE-2026-49230

Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass. This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the...

9.1CVSS

NVD•added 4 days ago•5 views

CVE-2026-47341

Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, whic...

6.5CVSS

NVD•added 4 days ago•10 views

CVE-2026-44087

Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. This issue affect...

9.1CVSS

NVD•added 4 days ago•7 views

CVE-2026-44915

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0,...

6.1CVSS

NVD•added 4 days ago•8 views

CVE-2026-44046

Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through...

5.8CVSS

NVD•added 4 days ago•6 views

CVE-2026-47339

Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source. This issue affects Apache APISIX: from 2.14.1 through 3.16.0. Users are recommended to upgrad...

8.1CVSS

NVD•added 4 days ago•9 views

CVE-2026-39998

Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the...

8.8CVSS

NVD•added 4 days ago•8 views

CVE-2026-39999

Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which...

9.1CVSS

CVE•added 4 days ago•11 views

CVE-2026-49872

The CVE-2026-49872 entry concerns Apache APISIX and its cas-auth plugin. Affected versions are 3.0.0 through 3.16.0; the issue is an improper authentication flaw where, when cas-auth is used on a route, an attacker may authenticate using credentials from a different source. The public documentati...

8.1CVSS5.9AI score

Cvelist•added 4 days ago•25 views

CVE-2026-49872 Apache APISIX: Improper authentication in cas-auth plugin

5.3CVSS

EUVD•added 4 days ago•7 views

EUVD-2026-38026

5.3CVSS5.9AI score

CVE•added 4 days ago•15 views

CVE-2026-49871

CVE-2026-49871 describes a Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations in Apache APISIX versions 3.0.0–3.16.0. The issue allows a remote attacker who can lure a victim to a controlled webpage to cause the victim’s browser to become authentic...

9.3CVSS5.9AI score

EUVD•added 4 days ago•9 views

EUVD-2026-38025

Cross-Site Request Forgery CSRF vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim...

2.1CVSS5.9AI score

Cvelist•added 4 days ago•28 views

CVE-2026-49871 Apache APISIX: cas-auth login CSRF / session injection issue

2.1CVSS

EUVD•added 4 days ago•7 views

EUVD-2026-38024

6.3CVSS5.8AI score

CVE•added 4 days ago•6 views

CVE-2026-47341

CVE-2026-47341 describes an authentication bypass in Apache APISIX due to a capture-replay flaw in the hmac-auth configuration. The issue allows an attacker to reuse a token indefinitely, bypassing expiry, with affected versions 3.11.0 through 3.16.0. The advisory recommends upgrading to 3.17.0, ...

6.5CVSS5.8AI score

EUVD•added 4 days ago•6 views

EUVD-2026-38023

2.1CVSS5.8AI score

CVE•added 4 days ago•9 views

CVE-2026-48895

CVE-2026-48895 describes an open redirect in Apache APISIX (affected versions 3.0.0–3.16.0). The issue allows manipulation of certain client headers to redirect to an untrusted site, with potential exposure of session tokens. The advisory recommends upgrading to version 3.17.0, which contains the...

7.2CVSS5.8AI score