CVE Daily
← All tags

Tag: Apache APISIX

All CVEs associated with "Apache APISIX". Page 1/1 • 13 CVEs.

About “Apache APISIX”

A curated feed of “Apache APISIX”-related CVEs appears below. We currently track 13 CVEs for this tag (all time). In the last 365 days, 5 were published. Average CVSS is 7.5 (all time; 7.0 over 365d), and 62% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-319 - Cleartext Transmission of Sensitive Information, CWE-75 - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection), CWE-732 - Incorrect Permission Assignment for Critical Resource.

In our taxonomy this topic maps to a LOW impact class. API gateways sit at the edge. Patch, enforce auth and rate limits, validate JWT and CORS, and restrict admin APIs. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: apache-apisix

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
3.163.16.0-
3.153.15.0 Expired
3.143.14.1 Expired
3.133.13.0 Expired
3.123.12.0 Expired
3.113.11.0 Expired
3.103.10.0 Expired
3.93.9.1 Expired
3.83.8.1 Expired
3.73.7.0 Expired
3.63.6.0 Expired
3.53.5.0 Expired
3.43.4.1 Expired
3.33.3.0 Expired
3.23.2.2 ExpiredLTS
3.13.1.0 Expired
3.03.0.0 Expired
2.152.15.3 ExpiredLTS
2.142.14.1 Expired
2.132.13.3 ExpiredLTS
2.122.12.1 Expired
2.112.11.0 Expired
2.102.10.5 ExpiredLTS

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Apache APISIX”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-04-14
Medium

CVE-2026-31924

Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users…

CVSS: 5.3 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2026-31923

Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue af…

CVSS: 7.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Critical

CVE-2026-31908

Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2…

CVSS: 9.1 CWE: CWE-75 - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) View on NVD
2025-07-06
High

CVE-2025-27446

Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate p…

CVSS: 7.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2025-07-02
Medium

CVE-2025-46647

A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection…

CVSS: 5.3 CWE: CWE-302 - Authentication Bypass by Assumed-Immutable Data View on NVD
2024-05-02
Medium

CVE-2024-32638

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are…

CVSS: 6.3 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD
2022-04-20
High

CVE-2022-29266

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive infor…

CVSS: 7.5 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD
2022-03-28
Critical

CVE-2022-25757

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass th…

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
2022-02-11
Critical

CVE-2022-24112

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote cod…

CVSS: 9.8 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2021-12-27
Critical

CVE-2021-45232

In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2021-11-22
High

CVE-2021-43557

The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construc…

CVSS: 7.5 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2021-06-08
Medium

CVE-2021-33190

In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a…

CVSS: 5.3 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
2020-12-07
Medium

CVE-2020-13945

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects version…

CVSS: 6.5 CWE: N/A View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox