Cross-Site Request Forgery Vulnerability in Apache APISIX by Apache
CVE-2026-49871

2.1LOW

Key Information:

Vendor: Apache
Status: Apache Apisix
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-49871?

A Cross-Site Request Forgery (CSRF) vulnerability exists in the cas-auth plugin of Apache APISIX when using default configurations. This vulnerability allows a remote attacker to trick a victim into visiting a malicious webpage that can authenticate the victim's browser as an unintended user. Any actions performed on the site by the victim while authenticated will be executed under the attacker's identity, posing significant security risks. It is strongly advised for users to upgrade to version 3.17.0 to mitigate this issue.

Affected Version(s)

Apache APISIX 3.0.0 <= 3.16.0

References

https://lists.apache.org/thread/1ozsnss0lof4gpwq763d66oxw...

vendor-advisory

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
Jun 2, 2026

Credit

lokerxxx

CVE-2026-49871 Data

JSON