Shodan
Vulnerabilities
Vulnerable Software
Apache:  >> Apisix  >> 3.13.0  Security Vulnerabilities
CVE-2026-39998
Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
CVSS Score
5.8
EPSS Score
0.003
Published
2026-06-19
CVE-2026-39999
Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which fixes the issue.
CVSS Score
7.0
EPSS Score
0.004
Published
2026-06-19
CVE-2026-31908
Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.
CVSS Score
9.1
EPSS Score
0.005
Published
2026-04-14
CVE-2026-31923
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.
CVSS Score
7.5
EPSS Score
0.003
Published
2026-04-14
CVE-2026-31924
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.
CVSS Score
5.3
EPSS Score
0.002
Published
2026-04-14
CVE-2025-62232
Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access. It has been fixed in the following commit:  https://github.com/apache/apisix/pull/12629 Users are recommended to upgrade to version 3.14, which fixes this issue.
CVSS Score
7.5
EPSS Score
0.004
Published
2025-10-31


Products
Pricing
Contact Us

Shodan ® - All rights reserved