Description
Improper Authentication vulnerability in Apache APISIX.

When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source.
This issue affects Apache APISIX: from 3.0.0 through 3.16.0.

Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Published: 2026-06-19
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache APISIX allows an attacker to authenticate using credentials sourced from a different account when the cas-auth plugin is enabled on a route. This flaw permits unauthorized users to gain access that they should not possess, compromising confidentiality and potentially enabling further malicious actions. The weakness is classified as Authentication Bypass or Failure, matching CWE-287.

Affected Systems

The vulnerability impacts Apache Software Foundation's Apache APISIX from version 3.0.0 up to and including 3.16.0. Any deployment of these versions that utilizes the cas-auth plugin is susceptible, regardless of whether the plugin is used for internal or external traffic.

Risk and Exploitability

The CVSS score for this flaw is 5.3, indicating a moderate impact. Because the EPSS score is not available, no current evidence of active exploitation exists, and the vulnerability is not listed in CISA’s KEV catalog. However, exploitation is straightforward if the plugin is enabled: an attacker needs only to send authentication requests through the affected route with credentials from another source. The attack does not require elevated privileges or special preconditions beyond access to the API gateway’s configured routes.

Generated by OpenCVE AI on June 19, 2026 at 20:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache APISIX to version 3.17.0 or later, which contains the fix for the cas-auth authentication flaw.
  • If an immediate upgrade is not possible, disable the cas-auth plugin on all routes until a patch can be applied.
  • Review and tighten authentication configurations to ensure credentials are sourced strictly from the intended authentication provider.

Generated by OpenCVE AI on June 19, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Title Apache APISIX: Improper authentication in cas-auth plugin
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-19T16:49:58.602Z

Reserved: 2026-06-02T03:54:04.009Z

Link: CVE-2026-49872

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:15:02Z

Weaknesses