This page lists publicly disclosed CVE vulnerabilities affecting apache apisix (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-31924 | Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue. | [email protected] | 5.3 | 0.05% | 2026-04-14 | 2026-04-17 |
| CVE-2026-31923 | Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue. | [email protected] | 7.5 | 0.01% | 2026-04-14 | 2026-04-17 |
| CVE-2026-31908 | Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue. | [email protected] | 9.1 | 0.04% | 2026-04-14 | 2026-04-17 |
| CVE-2025-62232 | Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access. It has been fixed in the following commit: https://github.com/apache/apisix/pull/12629 Users are recommended to upgrade to version 3.14, which fixes this issue. | [email protected] | 7.5 | 0.11% | 2025-10-31 | 2025-11-05 |
| CVE-2025-27446 | Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0. Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue. | [email protected] | 7.8 | 0.01% | 2025-07-06 | 2025-11-04 |
| CVE-2025-46647 | A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multiple issuers 3. Multiple issuers share the same private key and relies only on the issuer being different If affected by this vulnerability, it would allow an attacker with a valid account on one of the issuers to log int | [email protected] | 5.3 | 0.29% | 2025-07-02 | 2025-11-04 |
| CVE-2024-32638 | Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue. | [email protected] | 6.3 | 0.47% | 2024-05-02 | 2025-07-10 |
| CVE-2023-44487 KEV | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | [email protected] | 7.5 | 94.45% | 2023-10-10 | 2026-05-12 |
| CVE-2022-29266 | In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information. | [email protected] | 7.5 | 35.84% | 2022-04-20 | 2024-11-21 |
| CVE-2022-25757 | In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{"string_payload":"bad","string_payload":"good"}` can be used to hide the "bad" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstrea | [email protected] | 9.8 | 0.42% | 2022-03-28 | 2024-11-21 |
| CVE-2022-24112 KEV | An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client | [email protected] | 9.8 | 94.44% | 2022-02-11 | 2025-10-23 |
| CVE-2021-43557 | The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains "^/internal/", a URI like `//internal/` can be used to bypass it. Some other plugins also have the same issue. And it may affect the developer's custom plugin. | [email protected] | 7.5 | 58.26% | 2021-11-22 | 2024-11-21 |
| CVE-2020-13945 | In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5. | [email protected] | 6.5 | 93.43% | 2020-12-07 | 2024-11-21 |