Shodan
Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-49871

Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim takes upstream are then attributed to attackers identity. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 13.4%
CVSS Severity
CVSS v3 Score 9.3
Products affected by CVE-2026-49871
  • Apache » Apisix » Version: 3.0.0
    cpe:2.3:a:apache:apisix:3.0.0
  • Apache » Apisix » Version: 3.1.0
    cpe:2.3:a:apache:apisix:3.1.0
  • Apache » Apisix » Version: 3.10.0
    cpe:2.3:a:apache:apisix:3.10.0
  • Apache » Apisix » Version: 3.11.0
    cpe:2.3:a:apache:apisix:3.11.0
  • Apache » Apisix » Version: 3.12.0
    cpe:2.3:a:apache:apisix:3.12.0
  • Apache » Apisix » Version: 3.13.0
    cpe:2.3:a:apache:apisix:3.13.0
  • Apache » Apisix » Version: 3.14.0
    cpe:2.3:a:apache:apisix:3.14.0
  • Apache » Apisix » Version: 3.14.1
    cpe:2.3:a:apache:apisix:3.14.1
  • Apache » Apisix » Version: 3.15.0
    cpe:2.3:a:apache:apisix:3.15.0
  • Apache » Apisix » Version: 3.16.0
    cpe:2.3:a:apache:apisix:3.16.0
  • Apache » Apisix » Version: 3.2.0
    cpe:2.3:a:apache:apisix:3.2.0
  • Apache » Apisix » Version: 3.2.1
    cpe:2.3:a:apache:apisix:3.2.1
  • Apache » Apisix » Version: 3.2.2
    cpe:2.3:a:apache:apisix:3.2.2
  • Apache » Apisix » Version: 3.3.0
    cpe:2.3:a:apache:apisix:3.3.0
  • Apache » Apisix » Version: 3.4.0
    cpe:2.3:a:apache:apisix:3.4.0
  • Apache » Apisix » Version: 3.4.1
    cpe:2.3:a:apache:apisix:3.4.1
  • Apache » Apisix » Version: 3.5.0
    cpe:2.3:a:apache:apisix:3.5.0
  • Apache » Apisix » Version: 3.6.0
    cpe:2.3:a:apache:apisix:3.6.0
  • Apache » Apisix » Version: 3.6.1
    cpe:2.3:a:apache:apisix:3.6.1
  • Apache » Apisix » Version: 3.7.0
    cpe:2.3:a:apache:apisix:3.7.0
  • Apache » Apisix » Version: 3.8.0
    cpe:2.3:a:apache:apisix:3.8.0
  • Apache » Apisix » Version: 3.8.1
    cpe:2.3:a:apache:apisix:3.8.1
  • Apache » Apisix » Version: 3.9.0
    cpe:2.3:a:apache:apisix:3.9.0
  • Apache » Apisix » Version: 3.9.1
    cpe:2.3:a:apache:apisix:3.9.1


Products
Pricing
Contact Us

Shodan ® - All rights reserved