CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

23 matches found

CVE-2026-39998

Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the...

5.8CVSS

Exploits0References2

EUVD•added 4 days ago•8 views

EUVD-2026-38011

5.8CVSS5.8AI score

Exploits0References1

Positive Technologies•added 4 days ago•10 views

PT-2026-50884

Name of the Vulnerable Software and Affected Versions Apache APISIX versions 2.3 through 3.16.0 Description The openid-connect plugin under default configuration contains an issue where insufficient verification of data authenticity allows an attacker to spoof identity headers. This can lead to...

5.3CVSS5.9AI score

Exploits0References4

NVD•added 2026/06/12 10:16 p.m.•14 views

CVE-2026-53832

OpenClaw before 2026.5.18 contains an identity header validation vulnerability allowing local same-host callers to forge trusted-proxy identity headers. Attackers with access to the proxy-facing Gateway port can supply forged identity headers to assume operator identity and potentially escalate...

7.7CVSS0.001EPSS

Exploits0References2

OSV•added 2026/05/14 9:30 p.m.•9 views

GHSA-4G9M-RFFV-H6WQ Crabbox: authentication bypass vulnerability that allows impersonation of others by spoofing identity headers

Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers. Attackers can inject malicious X-Crabbox-Owner and X-Crabbox-Org headers in requests authenticated with a...

8.8CVSS5.8AI score0.00361EPSS

Exploits0References6

Github Security Blog•added 2026/05/14 9:30 p.m.•11 views

Crabbox: authentication bypass vulnerability that allows impersonation of others by spoofing identity headers

8.8CVSS5.8AI score0.00361EPSS

Exploits0References6Affected Software1

NVD•added 2026/05/14 7:16 p.m.•14 views

CVE-2026-8621

8.8CVSS0.00361EPSS

Exploits0References4

Cvelist•added 2026/05/14 6:46 p.m.•30 views

CVE-2026-8621 Crabbox < v0.12.0 Authentication Bypass via Header Spoofing

8.8CVSS0.00361EPSS

Exploits0References4

OSV•added 2026/03/10 6:28 p.m.•2 views

GO-2026-4597 traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) in github.com/traefik/traefik

traefik CVE-2024-45410 fix bypass: lowercase Connection tokens can delete traefik-managed forwarded identity headers for example, X-Real-Ip in github.com/traefik/traefik...

7.5CVSS5.8AI score0.0041EPSS

Exploits0References4

Snyk•added 2026/03/06 11:38 p.m.•3 views

Header Injection

Overview Affected versions of this package are vulnerable to Header Injection in the parseCaddyfile function. An attacker can inject arbitrary values into trusted identity headers by supplying crafted HTTP headers when authenticated with a valid token, leading to unauthorized privilege escalation...

8.8CVSS5.9AI score0.00249EPSS

Exploits1References2

Snyk•added 2026/03/06 11:38 p.m.•2 views

Header Injection

8.8CVSS5.9AI score0.00249EPSS

Exploits1References2

Snyk•added 2026/03/05 9:13 p.m.•4 views

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the processing of HTTP/1.1 requests when handling the Connection header with X-Forwarded headers. An attacker can cause the removal of forwarded identity headers by sending requests with lowercas...

9.8CVSS7.3AI score0.015EPSS

Exploits0References2

OSV•added 2026/03/05 4:18 p.m.•4 views

CVE-2026-29054 Traefik: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)

Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to preve...

7.5CVSS7.1AI score0.0041EPSS

Exploits0References5

CNNVD•added 2026/03/05 12:0 a.m.•5 views

Traefik 安全漏洞

Traefik is an open-source reverse proxy and load balancing tool developed by Traefik. Versions 2.11.9 to 2.11.37, as well as 3.1.3 to 3.6.8, have security vulnerabilities. These vulnerabilities stem from improper handling of case sensitivity when processing Connection headers. This can allow...

7.5CVSS7.3AI score0.0041EPSS

Exploits0References4

Github Security Blog•added 2026/03/04 9:19 p.m.•4 views

traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)

Impact There is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port,...

9.8CVSS6AI score0.015EPSS

Exploits0References5Affected Software2

OSV•added 2026/03/04 9:19 p.m.•4 views

GHSA-92MV-8F8W-WQ52 traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)

7.5CVSS6AI score0.0041EPSS

Exploits0References5

NVD•added 2026/01/19 6:16 p.m.•9 views

CVE-2026-22797

An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The externaloauth2token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged...

9.9CVSS0.00453EPSS

Exploits0References6