The vulnerability arises when the OpenID‑Connect plugin for Apache APISIX is installed with its ssl_verify setting left to the default of false, which disables TLS verification. This allows confidential data, including authentication tokens and other sensitive payloads, to be sent in cleartext across the network. The flaw is a classic cleartext transmission vulnerability (CWE‑319). An attacker who can observe traffic to the APISIX gateway could thus intercept or modify information that should otherwise be protected by transport layer security.

Apache APISIX deployments from version 0.7 through 3.15.0 are affected, provided the OpenID‑Connect plugin is in use and has not been explicitly configured to enable ssl_verify. Users of earlier or later releases, or those that have overridden ssl_verify to true, are not impacted.

The CVSS score of 7.5 reflects a high severity, but the EPSS score of less than 1 % indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers could exploit the weakness remotely by sending requests to the plugin’s endpoints from any location with network access to a publicly reachable APISIX gateway; the requirement that the plugin be in its default configuration limits the attack surface to installations that have not applied the vendor’s recommended upgrade or reconfigured ssl_verify.