Impact
The vulnerability permits an attacker to forge identity headers that the APISIX OPA plugin accepts, effectively bypassing authentication and allowing the requester to gain access to upstream services with elevated privileges. Recorded as a CWE‑290 authentication bypass by spoofing flaw.
Affected Systems
Apache APISIX software, versions 3.5.0 through 3.16.0, when the OPA plugin is used with its non‑default configuration.
Risk and Exploitability
Based on the description, it is inferred that the attack can be performed remotely via HTTP requests to the APISIX gateway containing spoofed identity headers, assuming the attacker can reach the service. The CVSS score of 2.3 indicates low impact, and no EPSS data is available, so the likelihood of widespread exploitation is uncertain. The vulnerability is not listed in the CISA KEV catalog. The potential for elevated privileges on upstream services depends on the application’s configuration and the privileges associated with the forged identities.
OpenCVE Enrichment