Description
Incorrect Authorization vulnerability in Apache APISIX.

An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source.
This issue affects Apache APISIX: from 2.14.1 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Published: 2026-06-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability stems from an incorrect authorization logic in the authz-casdoor plugin used by Apache APISIX. An attacker who successfully exploits this flaw can authenticate themselves using credentials that belong to a different source, effectively impersonating other users. The impact is that the attacker gains the privileges associated with the injected credential and can access resources they are normally denied.

Affected Systems

The affected software is Apache APISIX, version 2.14.1 through 3.16.0, belonging to the Apache Software Foundation.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that there is no publicly documented exploitation yet. However, the attack vector appears to operate through the plugin’s default configuration, so remote exploitation via the API is likely feasible if an attacker can trigger the authz-casdoor logic.

Generated by OpenCVE AI on June 19, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache APISIX to version 3.17.0 or later, which contains the fix for the authz-casdoor authorization flaw and resolves the broken access control issue identified as CWE-863.
  • If an upgrade is not immediately possible, disable or remove the authz-casdoor plugin from the APISIX configuration to prevent the incorrect authorization path from being used and mitigate the CWE-863 vulnerability.
  • Validate that the plugin configuration requires legitimate credential sources, ensuring that cross‑source credential leakage cannot occur and addressing the broken access control flaw (CWE-863).

Generated by OpenCVE AI on June 19, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apisix
Vendors & Products Apache
Apache apisix

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source. This issue affects Apache APISIX: from 2.14.1 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Title Apache APISIX: authz-casdoor incorrect session sharing
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-22T16:18:30.495Z

Reserved: 2026-05-19T11:31:05.953Z

Link: CVE-2026-47339

cve-icon Vulnrichment

Updated: 2026-06-22T16:18:25.640Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:15:16Z

Weaknesses