CVE Catalog

CVE-2026-49231

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

27th percentile — higher than 27% of all known CVEs

Summary

CVE-2026-49231 is an authentication bypass by spoofing vulnerability in the opa plugin. An attacker could relay spoofed identity headers to upstream, potentially allowing them to assume higher privileges.

Risk Assessment

The organization may be exposed to unauthorized access to upstream services, leading to serious security breaches.

Recommendation

It is recommended to upgrade to version 3.17.0, which fixes the issue.

Original NVD description (English source)

Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX: from 3.5.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS