Description
Use of Less Trusted Source vulnerability in Apache APISIX.

Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules.
This issue affects Apache APISIX: from 1.2.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Published: 2026-06-19
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache APISIX’s wolf‑rbac plugin accepts identity data from a less trusted source, allowing an attacker to insert forged identity information into logs and to potentially bypass IP‑based access control rules. This flaw is classified as CWE‑348, where trust is improperly applied. The consequence is that an adversary can have their identity reflected in audit records and may gain unauthorized access by mixing with IP restrictions.

Affected Systems

The issue affects Apache APISIX versions from 1.2.0 through 3.16.0, which are the releases that include the wolf‑rbac plugin with its default configuration.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall risk, and with no EPSS data the likelihood of exploitation remains uncertain, though the vulnerability is not listed in CISA’s KEV catalog. The attacker can exploit the flaw via the plugin’s default configuration, sending spoofed identity headers; the attack requires only the ability to tamper with identity information presented to the plugin. Because the flaw relies on a trusted source being mis‑classified, it does not require privileged access or complex exploitation steps.

Generated by OpenCVE AI on June 19, 2026 at 20:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch by upgrading Apache APISIX to version 3.17.0 or later.
  • Reconfigure the wolf‑rbac plugin to source identity data only from verified and trusted headers or services.
  • Review and harden access‑control rules so that IP restrictions cannot be overridden by spoofed identities, and monitor logs for unusual identity entries.

Generated by OpenCVE AI on June 19, 2026 at 20:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Title Apache APISIX: wolf-rbac plugin Identity Spoofing
Weaknesses CWE-348
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-19T16:49:48.160Z

Reserved: 2026-05-05T05:50:59.546Z

Link: CVE-2026-44046

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:15:02Z

Weaknesses
  • CWE-348

    Use of Less Trusted Source