Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX.

The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft.

This issue affects Apache APISIX: from 3.0.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Published: 2026-06-19
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the default configuration of the cas-auth plugin in Apache APISIX allows an attacker to craft an HTTP request that includes an unsanitized cookie value. The plugin blindly uses this value to build a redirection URL, enabling the attacker to redirect users to untrusted sites and potentially phish for credentials. This vulnerability is a classic open redirect; it does not grant arbitrary code execution or system compromise but can be used as a vector for phishing or credential theft attacks, compromising the confidentiality of user credentials and trust.

Affected Systems

Apache APISIX versions 3.0.0 through 3.16.0 are affected. The vulnerability exists where the cas-auth plugin is enabled with its default settings. The affected environment should verify whether the plugin is installed or actively used. All installations of Apache APISIX within the specified version range must be reviewed.

Risk and Exploitability

The CVSS score of 2.1 indicates low severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation evidence. The attack path requires an attacker to influence the cookie sent to the APISIX instance, typically through a crafted request to a protected endpoint that triggers the cas-auth plugin. Given the low complexity and the lack of broader exploitation data, the immediate risk to enterprise systems is low, but phishing campaigns could exploit the redirect to harm users.

Generated by OpenCVE AI on June 19, 2026 at 20:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch and upgrade Apache APISIX to version 3.17.0 or later to eliminate the unsanitized cookie handling.
  • If an upgrade is not yet possible, disable or remove the cas-auth plugin from the APISIX configuration to prevent the redirect logic from executing.
  • Review and tighten any external access to the cas-auth endpoint, ensuring only trusted clients can set or modify cookie values; validate or sanitize cookie data before using it for redirection.

Generated by OpenCVE AI on June 19, 2026 at 20:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Title Apache APISIX: Cas-auth plugin open redirect via unsanitized cookie value
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-19T16:49:50.519Z

Reserved: 2026-05-08T05:41:28.698Z

Link: CVE-2026-44915

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:15:02Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')