ByteOS Network

NVD Vulnerability Details :

CVE-2026-44087

Analyzed

Source-security@apache.org

Published At-19 Jun, 2026 | 14:16

Updated At-23 Jun, 2026 | 15:11

Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. This issue affects Apache APISIX: from 2.3 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	5.3	MEDIUM	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary	3.1	9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
			N/A

Type: Secondary

Version: 4.0

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Primary

Version: 3.1

Base score: 9.1

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Type: N/A

Version:

Base score:

Base severity: N/A

Vector:

CPE Matches

The Apache Software Foundation

>>apisix>>Versions from 2.3(inclusive) to 3.17.0(exclusive)

cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-345	Secondary	security@apache.org

CWE ID: CWE-345

Type: Secondary

Source: security@apache.org

References

Hyperlink	Source	Resource
https://lists.apache.org/thread/72ryrgdssk6s2x9d6xn14bxyyl878xfm	security@apache.org	Vendor Advisory Mailing List
http://www.openwall.com/lists/oss-security/2026/06/19/7	af854a3a-2127-422b-91ae-364da2661108	Third Party Advisory

Hyperlink: https://lists.apache.org/thread/72ryrgdssk6s2x9d6xn14bxyyl878xfm

Source: security@apache.org

Resource:

Vendor Advisory

Mailing List

Hyperlink: http://www.openwall.com/lists/oss-security/2026/06/19/7

Source: af854a3a-2127-422b-91ae-364da2661108

Resource:

Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History