Description
Improper Input Validation vulnerability in Apache APISIX.

The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers.
This issue affects Apache APISIX: from 2.12.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Published: 2026-06-19
Score: 5.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache APISIX forward‑auth plugin contains an improper input validation flaw that allows an attacker to inject arbitrary identity headers when the plugin is misconfigured, enabling the attacker to impersonate any user or service. This can lead to unauthorized access or privilege escalation within the API gateway, as the gateway will accept the forged headers and treat the request as coming from the spoofed identity. This vulnerability is categorized as CWE‑20 – Improper Input Validation.

Affected Systems

The affected product is Apache Software Foundation Apache APISIX. Versions from 2.12.0 through 3.16.0 are impacted. An upgrade to version 3.17.0 or later resolves the issue.

Risk and Exploitability

The CVSS score of 5.8 indicates medium severity, reflecting the potential for identity spoofing. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The attacker can exploit this flaw remotely by sending crafted HTTP requests to the APISIX gateway that trigger the forward‑auth plugin, assuming the plugin is enabled and header cleanup is disabled. Attackers need network access to the gateway and do not require privileged local access.

Generated by OpenCVE AI on June 19, 2026 at 20:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache APISIX to version 3.17.0 or later to apply the official fix.
  • Review forward‑auth plugin configuration to ensure header cleanup is enabled and identity headers are properly validated.
  • Monitor API traffic logs for anomalous identity header values to detect potential spoofing attempts.

Generated by OpenCVE AI on June 19, 2026 at 20:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Title Apache APISIX: Identity Injection via forward-auth Plugin Missing Header Cleanup
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-19T16:49:45.794Z

Reserved: 2026-04-08T02:34:21.516Z

Link: CVE-2026-39998

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:30:04Z

Weaknesses
  • CWE-20

    Improper Input Validation