Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX.

The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token.

This issue affects Apache APISIX: from 3.0.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Published: 2026-06-19
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a URL redirection flaw (CWE‑601) that allows an attacker to control the target of redirects by manipulating client headers. Unauthorized redirects can send users to malicious sites, potentially exposing session tokens or facilitating phishing attacks.

Affected Systems

Affected software is Apache APISIX, versions 3.0.0 through 3.16.0. The vendor recommends upgrading to 3.17.0, which addresses the redirect issue. Systems running earlier releases are at risk.

Risk and Exploitability

The CVSS score of 2.1 categorizes the vulnerability as low severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting a modest exploitation probability at present. The likely attack vector is remote, from crafted HTTP requests that modify the Host header or similar fields to influence the CAS service URL. Mitigation requires applying the patch and ensuring that redirect destinations are validated against an approved list to block untrusted endpoints.

Generated by OpenCVE AI on June 19, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch for Apache APISIX version 3.17.0 or later.
  • Configure the system to validate redirect URLs against a whitelist of trusted domains to prevent open redirects.
  • Disable or restrict header fields that influence the CAS service URL if they are not required for business functionality.

Generated by OpenCVE AI on June 19, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apisix
Vendors & Products Apache
Apache apisix

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Title Apache APISIX: Cas-auth Host header influence on CAS service URL
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-22T16:20:39.998Z

Reserved: 2026-05-26T09:06:16.109Z

Link: CVE-2026-48895

cve-icon Vulnrichment

Updated: 2026-06-22T16:20:35.466Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T22:00:07Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')