Impact
This vulnerability stems from an incorrect authorization logic in the authz-casdoor plugin used by Apache APISIX. An attacker who successfully exploits this flaw can authenticate themselves using credentials that belong to a different source, effectively impersonating other users. The impact is that the attacker gains the privileges associated with the injected credential and can access resources they are normally denied.
Affected Systems
The affected software is Apache APISIX, version 2.14.1 through 3.16.0, belonging to the Apache Software Foundation.
Risk and Exploitability
The CVSS score is 5.3, indicating a moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that there is no publicly documented exploitation yet. However, the attack vector appears to operate through the plugin’s default configuration, so remote exploitation via the API is likely feasible if an attacker can trigger the authz-casdoor logic.
OpenCVE Enrichment