Description
Authentication Bypass by Spoofing vulnerability in opa plugin.

An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin.

This could allow the attacker to assume higher privileges on the upstream service.
This issue affects Apache APISIX: from 3.5.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Published: 2026-06-19
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits an attacker to forge identity headers that the APISIX OPA plugin accepts, effectively bypassing authentication and allowing the requester to gain access to upstream services with elevated privileges. Recorded as a CWE‑290 authentication bypass by spoofing flaw.

Affected Systems

Apache APISIX software, versions 3.5.0 through 3.16.0, when the OPA plugin is used with its non‑default configuration.

Risk and Exploitability

Based on the description, it is inferred that the attack can be performed remotely via HTTP requests to the APISIX gateway containing spoofed identity headers, assuming the attacker can reach the service. The CVSS score of 2.3 indicates low impact, and no EPSS data is available, so the likelihood of widespread exploitation is uncertain. The vulnerability is not listed in the CISA KEV catalog. The potential for elevated privileges on upstream services depends on the application’s configuration and the privileges associated with the forged identities.

Generated by OpenCVE AI on June 19, 2026 at 21:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache APISIX to version 3.17.0 or later where the OPA plugin flaw has been fixed.
  • If an upgrade is not immediately viable, enforce the default validation rules in the OPA plugin configuration to reject forged identity headers.
  • Implement additional server‑side checks to validate authenticated identity information before forwarding requests to upstream services.

Generated by OpenCVE AI on June 19, 2026 at 21:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apisix
Vendors & Products Apache
Apache apisix

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX: from 3.5.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Title Apache APISIX: Identity spoofing issue in APISIX opa plugin
Weaknesses CWE-290
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-22T16:20:09.284Z

Reserved: 2026-05-28T06:52:25.554Z

Link: CVE-2026-49231

cve-icon Vulnrichment

Updated: 2026-06-22T16:20:04.293Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:30:17Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing