CVE-2026-49231
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk27th percentile — higher than 27% of all known CVEs
Summary
CVE-2026-49231 is an authentication bypass by spoofing vulnerability in the opa plugin. An attacker could relay spoofed identity headers to upstream, potentially allowing them to assume higher privileges.
Risk Assessment
The organization may be exposed to unauthorized access to upstream services, leading to serious security breaches.
Recommendation
It is recommended to upgrade to version 3.17.0, which fixes the issue.
Original NVD description (English source)
Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX: from 3.5.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

