Description
Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations.

This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity.

Actions the victim takes upstream are then attributed to attackers identity.


This issue affects Apache APISIX: from 3.0.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Published: 2026-06-19
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery flaw exists in the cas‑auth plugin of Apache APISIX when it is deployed with default settings. An attacker can trick a victim into visiting a malicious page that causes the victim’s browser to authenticate to the apisix instance as the attacker’s identity. Any commands or actions the victim performs on upstream services thereafter are recorded as originating from the attacker. The weakness corresponds to CWE‑352.

Affected Systems

Apache APISIX versions 3.0.0 through 3.16.0 are affected when the cas‑auth plugin is enabled under its default configuration. The issue is not present in version 3.17.0 or later, which contains the fix.

Risk and Exploitability

The CVSS score of 2.1 rates this vulnerability as low severity, and no EPSS score is available. It is not listed in the CISA KEV catalog. The likely attack vector is remote: the attacker delivers a crafted URL or page to the victim, prompting the victim’s browser to issue a request to the cas‑auth endpoint and establish the victim’s session as the attacker’s. Because exploitation relies on user interaction and only affects identity attribution rather than immediate system control, the risk remains low but visibility into misleading audit logs is a concern. Users should therefore follow the vendor’s recommended upgrade promptly.

Generated by OpenCVE AI on June 19, 2026 at 20:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache APISIX to version 3.17.0 or later, which addresses the cas‑auth CSRF flaw.
  • If an upgrade cannot be performed immediately, disable the cas‑auth plugin or adjust its configuration to eliminate the default CSRF‑vulnerable flow.
  • Monitor logs and audit trails for anomalous identity attribution that might indicate exploitation of the vulnerability.

Generated by OpenCVE AI on June 19, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim takes upstream are then attributed to attackers identity. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Title Apache APISIX: cas-auth login CSRF / session injection issue
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-19T16:49:57.460Z

Reserved: 2026-06-02T02:37:57.807Z

Link: CVE-2026-49871

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:15:02Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)