CVE-2026-44915
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
The 'Open Redirect' vulnerability in Apache APISIX allows redirecting users to untrusted sites, potentially leading to phishing and credential theft. This affects versions from 3.0.0 to 3.16.0.
Risk Assessment
Organizations may be exposed to phishing attacks, which could result in credential loss and user trust issues.
Recommendation
It is recommended to upgrade to version 3.17.0, which fixes the issue.
Original NVD description (English source)
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

