CVE-2026-48895

Apache APISIX versions 3.0.0–3.16.0 are affected by an Open Redirect vulnerability that can be triggered by manipulating certain client headers, potentially exposing session tokens. Remediation: upgrade to version 3.17.0 (fix applied in that release).