Description
Improper Input Validation vulnerability in Apache APISIX.

The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers.
This issue affects Apache APISIX: from 2.12.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Published: 2026-06-19
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache APISIX forward‑auth plugin contains an improper input validation flaw that allows an attacker to inject arbitrary identity headers when the plugin is misconfigured, enabling the attacker to impersonate any user or service. This can lead to unauthorized access or privilege escalation within the API gateway, as the gateway will accept the forged headers and treat the request as coming from the spoofed identity. This vulnerability is categorized as CWE‑20 – Improper Input Validation.

Affected Systems

The affected product is Apache Software Foundation Apache APISIX. Versions from 2.12.0 through 3.16.0 are impacted. An upgrade to version 3.17.0 or later resolves the issue.

Risk and Exploitability

The CVSS score of 5.8 indicates medium severity, reflecting the potential for identity spoofing. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The attacker can exploit this flaw remotely by sending crafted HTTP requests to the APISIX gateway that trigger the forward‑auth plugin, assuming the plugin is enabled and header cleanup is disabled. Attackers need network access to the gateway and do not require privileged local access.

Generated by OpenCVE AI on June 19, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache APISIX to version 3.17.0 or later to apply the official fix.
  • Review forward‑auth plugin configuration to ensure header cleanup is enabled and identity headers are properly validated.
  • Monitor API traffic logs for anomalous identity header values to detect potential spoofing attempts.

Generated by OpenCVE AI on June 19, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apache Apisix
Vendors & Products Apache
Apache apache Apisix

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Title Apache APISIX: Identity Injection via forward-auth Plugin Missing Header Cleanup
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}


Subscriptions

Apache Apache Apisix
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-22T16:16:29.535Z

Reserved: 2026-04-08T02:34:21.516Z

Link: CVE-2026-39998

cve-icon Vulnrichment

Updated: 2026-06-22T16:16:24.996Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:30:17Z

Weaknesses
  • CWE-20

    Improper Input Validation