CVE-2026-31908
Header Injection in Apache APISIX Forward-Auth Plugin Allows Malicious Requests
Publication date: 2026-04-14
Last updated on: 2026-04-17
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | apisix | From 2.12.0 (inc) to 3.16.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-75 | The product does not adequately filter user-controlled input for special elements with control implications. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31908 is a header injection vulnerability found in the Apache APISIX forward-auth plugin. This flaw affects versions from 2.12.0 through 3.15.0. An attacker can exploit certain configurations in the forward-auth plugin to inject malicious HTTP headers into requests.
How can this vulnerability impact me? :
This vulnerability allows an attacker to manipulate HTTP request headers by injecting malicious headers. Such manipulation can lead to security risks including unauthorized access or tampering with requests, potentially compromising the integrity and security of the affected system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the header injection vulnerability in Apache APISIX's forward-auth plugin, users are recommended to upgrade their Apache APISIX installation to version 3.16.0 or later, as this version contains the fix for the issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the header injection vulnerability in Apache APISIX affects compliance with common standards and regulations such as GDPR or HIPAA.