Description
Insufficient Verification of Data Authenticity vulnerability in Apache APISIX.

The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources.
This issue affects Apache APISIX: from 2.3 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Published: 2026-06-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache APISIX’s openid-connect plugin performs insufficient verification of data authenticity, enabling attackers to spoof identity headers. Based on the description, this flaw allows an attacker to impersonate another user and access resources that require authenticated identities, which is inferred to potentially violate confidentiality and integrity. The weakness is classified as CWE-345: Information Exposure Through Spoofed Authentication Credential.

Affected Systems

The vulnerability affects Apache Software Foundation’s Apache APISIX from version 2.3 up through 3.16.0. The earlier and later releases are not affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium risk. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is inferred to be the submission of crafted HTTP requests to the APISIX gateway’s openid-connect plugin, exploiting the lack of header validation. The exploit does not require elevated privileges, so it can potentially be performed by remote actors who can reach the API gateway.

Generated by OpenCVE AI on June 19, 2026 at 21:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache APISIX to v3.17.0 or later, which contains the fix for the identity header spoofing issue.
  • If an immediate upgrade is not possible, temporarily disable the openid-connect plugin on all APISIX gateways until the patch is available.
  • Configure the openid-connect plugin to enforce strict identity header validation, ensuring that any identity passed via headers is verified against a trusted issuer and signed token.

Generated by OpenCVE AI on June 19, 2026 at 21:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apisix
Vendors & Products Apache
Apache apisix

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. This issue affects Apache APISIX: from 2.3 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Title Apache APISIX: Openid-connect plugin Identity Header Spoofing
Weaknesses CWE-345
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-22T16:19:00.993Z

Reserved: 2026-05-05T07:58:39.457Z

Link: CVE-2026-44087

cve-icon Vulnrichment

Updated: 2026-06-22T16:18:56.274Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:45:04Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity