CVE Catalog

CVE-2026-44915

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

21th percentile — higher than 21% of all known CVEs

Summary

The 'Open Redirect' vulnerability in Apache APISIX allows redirecting users to untrusted sites, potentially leading to phishing and credential theft. This affects versions from 3.0.0 to 3.16.0.

Risk Assessment

Organizations may be exposed to phishing attacks, which could result in credential loss and user trust issues.

Recommendation

It is recommended to upgrade to version 3.17.0, which fixes the issue.

Original NVD description (English source)

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS