CVE-2026-49872
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk25th percentile - higher than 25% of all known CVEs
Summary
CVE-2026-49872 describes an improper authentication vulnerability in Apache APISIX that allows an attacker to authenticate with credentials from a different source when the cas-auth plugin is used in a route. This issue affects versions from 3.0.0 to 3.16.0.
Risk Assessment
Organizations may be exposed to unauthorized access to systems, potentially leading to data breaches or other serious security incidents.
Recommendation
It is recommended to upgrade to version 3.17.0, which fixes the issue.
Original NVD description (English source)
Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

