CVE-2026-48895
HighCVSS 7.2Exploitation Probability (EPSS)
Low risk21th percentile - higher than 21% of all known CVEs
Summary
The 'Open Redirect' vulnerability in Apache APISIX allows an attacker to manipulate client headers, potentially leading to redirection to an untrusted site and exposure of the session token.
Risk Assessment
The organization may be at risk of session theft, which could lead to unauthorized access to data.
Recommendation
Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Original NVD description (English source)
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

