Description
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.

tencent-cloud-cls log export uses plaintext HTTP
This issue affects Apache APISIX: from 2.99.0 through 3.15.0.

Users are recommended to upgrade to version 3.16.0, which fixes the issue.
Published: 2026-04-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive information transmitted in cleartext
Action: Upgrade
AI Analysis

Impact

Apache APISIX’s tencent-cloud-cls plugin transmits log data over plain text HTTP, which allows an adversary to intercept and read any sensitive information contained within the logs. This clear‑text data transfer is a classic CWE‑319 vulnerability that exposes confidentiality information without permitting code execution or denial of service. An attacker who can observe the network between APISIX and the CLS endpoint can capture log payloads, potentially revealing user data or diagnostic details.

Affected Systems

Systems running Apache APISIX versions 2.99.0 through 3.15.0 are affected. These versions include the default configuration of the tencent-cloud-cls plugin and are distributed by the Apache Software Foundation. Upgrading to 3.16.0 removes the insecure HTTP transport and implements secure logging.

Risk and Exploitability

Because the flaw relies on plain HTTP transmission, any network path that an attacker can monitor—such as an internal network or a compromised router—can be used to capture logs. There is no known authentication bypass required to exploit the flaw; the attack requires simply observing traffic. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting a moderate exploitation risk, but the exposure of potentially sensitive log records makes it a critical concern for organizations that maintain strict confidentiality requirements.

Generated by OpenCVE AI on April 14, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache APISIX to version 3.16.0 or later.
  • Verify the tencent-cloud-cls plugin is configured to use HTTPS for log export.
  • Monitor network traffic for any plaintext log transmission anomalies.

Generated by OpenCVE AI on April 14, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apisix
Vendors & Products Apache
Apache apisix

Tue, 14 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
References

Tue, 14 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.
Title Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP
Weaknesses CWE-319
References

Subscriptions

Apache Apisix
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-14T19:51:55.994Z

Reserved: 2026-03-10T12:14:05.125Z

Link: CVE-2026-31924

cve-icon Vulnrichment

Updated: 2026-04-14T08:37:18.355Z

cve-icon NVD

Status : Received

Published: 2026-04-14T09:16:35.953

Modified: 2026-04-14T20:16:38.340

Link: CVE-2026-31924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:44Z

Weaknesses