Authentication Bypass Vulnerability in Apache APISIX OPA Plugin
CVE-2026-49231

2.3LOW

Key Information:

Vendor: Apache
Status: Apache Apisix
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-49231?

A vulnerability in the OPA plugin for Apache APISIX allows attackers to exploit non-default configurations by relaying spoofed identity headers to upstream services. This manipulation can enable unauthorized privilege escalation, compromising the integrity of the system. To mitigate this risk, users are advised to upgrade to version 3.17.0, which resolves the issue and enhances security.

Affected Version(s)

Apache APISIX 3.5.0 <= 3.16.0

References

https://lists.apache.org/thread/s1jd1vxm59p6ghx47xhmpjdk1...

vendor-advisory

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
May 28, 2026

Credit

lokerxxx

CVE-2026-49231 Data

JSON